{"id":"RUSTSEC-2024-0399","summary":"rustls network-reachable panic in `Acceptor::accept`","details":"A bug introduced in rustls 0.23.13 leads to a panic if the received\nTLS ClientHello is fragmented.  Only servers that use\n`rustls::server::Acceptor::accept()` are affected.\n\nServers that use `tokio-rustls`'s `LazyConfigAcceptor` API are affected.\n\nServers that use `tokio-rustls`'s `TlsAcceptor` API are not affected.\n\nServers that use `rustls-ffi`'s `rustls_acceptor_accept` API are affected.","aliases":["CVE-2024-11738","GHSA-qg5g-gv98-5ffh"],"modified":"2025-10-28T06:28:52.287248Z","published":"2024-11-22T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/rustls"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2024-0399.html"},{"type":"REPORT","url":"https://github.com/rustls/rustls/issues/2227"}],"affected":[{"package":{"name":"rustls","ecosystem":"crates.io","purl":"pkg:cargo/rustls"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.23.0"},{"fixed":"0.23.0"},{"introduced":"0.23.13"},{"fixed":"0.23.18"}]}],"ecosystem_specific":{"affects":{"os":[],"functions":[],"arch":[]},"affected_functions":null},"database_specific":{"cvss":null,"informational":null,"categories":["denial-of-service"],"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2024-0399.json"}}],"schema_version":"1.7.3"}