{"id":"GO-2023-2045","summary":"Memory exhaustion in QUIC connection handling in crypto/tls","details":"QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth.\n\nWith fix, connections now consistently reject messages larger than 65KiB in size.","aliases":["BIT-golang-2023-39322","CVE-2023-39322"],"modified":"2026-02-04T03:41:43.927111Z","published":"2023-09-07T16:12:01Z","related":["CGA-38v5-7p3f-9rx3"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2023-2045"},"references":[{"type":"REPORT","url":"https://go.dev/issue/62266"},{"type":"FIX","url":"https://go.dev/cl/523039"},{"type":"WEB","url":"https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.21.0-0"},{"fixed":"1.21.1"}]}],"ecosystem_specific":{"imports":[{"symbols":["QUICConn.HandleData"],"path":"crypto/tls"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2023-2045.json"}}],"schema_version":"1.7.3","credits":[{"name":"Marten Seemann"}]}