{"id":"CVE-2024-32650","summary":"Rustls vulnerable to an infinite loop in rustls::conn::ConnectionCommon::complete_io() with proper client input","details":"Rustls is a modern TLS library written in Rust. `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input. When using a blocking rustls server, if a client send a `close_notify` message immediately after `client_hello`, the server's `complete_io` will get in an infinite loop. This vulnerability is fixed in 0.23.5, 0.22.4, and 0.21.11.","aliases":["GHSA-6g7w-8wpp-frhj","RUSTSEC-2024-0336"],"modified":"2026-04-10T05:12:15.480020Z","published":"2024-04-19T16:05:44.050Z","related":["CGA-f8qw-rjr9-54v6","SUSE-SU-2025:02809-1","SUSE-SU-2025:02810-1","SUSE-SU-2025:02811-1","SUSE-SU-2025:03629-1","SUSE-SU-2025:20057-1","openSUSE-SU-2024:0130-1","openSUSE-SU-2024:13893-1","openSUSE-SU-2024:13903-1","openSUSE-SU-2024:13904-1","openSUSE-SU-2024:13912-1","openSUSE-SU-2024:13917-1","openSUSE-SU-2024:13923-1","openSUSE-SU-2024:13961-1","openSUSE-SU-2024:13969-1","openSUSE-SU-2024:14424-1"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/32xxx/CVE-2024-32650.json","cwe_ids":["CWE-835"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/32xxx/CVE-2024-32650.json"},{"type":"ADVISORY","url":"https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32650"},{"type":"FIX","url":"https://github.com/rustls/rustls/commit/2123576840aa31043a31b0770e6572136fbe0c2d"},{"type":"FIX","url":"https://github.com/rustls/rustls/commit/6e938bcfe82a9da7a2e1cbf10b928c7eca26426e"},{"type":"FIX","url":"https://github.com/rustls/rustls/commit/f45664fbded03d833dffd806503d3c8becd1b71e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rustls/rustls","events":[{"introduced":"0"},{"fixed":"2123576840aa31043a31b0770e6572136fbe0c2d"}]},{"type":"GIT","repo":"https://github.com/rustls/rustls","events":[{"introduced":"0"},{"fixed":"6e938bcfe82a9da7a2e1cbf10b928c7eca26426e"}]},{"type":"GIT","repo":"https://github.com/rustls/rustls","events":[{"introduced":"0"},{"fixed":"f45664fbded03d833dffd806503d3c8becd1b71e"}]},{"type":"GIT","repo":"https://github.com/rustls/rustls","events":[{"introduced":"0"},{"fixed":"2123576840aa31043a31b0770e6572136fbe0c2d"}]},{"type":"GIT","repo":"https://github.com/rustls/rustls","events":[{"introduced":"0"},{"fixed":"6e938bcfe82a9da7a2e1cbf10b928c7eca26426e"}]},{"type":"GIT","repo":"https://github.com/rustls/rustls","events":[{"introduced":"0"},{"fixed":"f45664fbded03d833dffd806503d3c8becd1b71e"}]}],"versions":["rustls-post-quantum-v/0.1.0","v/0.1.0","v/0.1.1","v/0.1.2","v/0.10.0","v/0.11.0","v/0.12.0","v/0.13.0","v/0.14.0","v/0.15.0","v/0.15.1","v/0.15.2","v/0.16.0","v/0.17.0","v/0.18.0","v/0.18.1","v/0.19.0","v/0.20.0","v/0.20.0-beta1","v/0.20.0-beta2","v/0.20.1","v/0.20.2","v/0.20.3","v/0.20.4","v/0.20.5","v/0.20.6","v/0.20.7","v/0.20.8","v/0.21.0","v/0.21.0-alpha.1","v/0.21.1","v/0.21.2","v/0.22.0","v/0.23.0","v/0.23.1","v/0.23.2","v/0.23.3","v/0.23.4","v/0.5.0","v/0.5.1","v/0.5.2","v/0.5.3","v/0.5.4","v/0.5.5","v/0.5.6","v/0.5.7","v/0.5.8","v/0.6.0","v/0.7.0","v/0.8.0","v/0.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-32650.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}