{"id":"UBUNTU-CVE-2023-46239","details":"quic-go is an implementation of the QUIC protocol in Go. Starting in version 0.37.0 and prior to version 0.37.3, by serializing an ACK frame after the CRYTPO that allows a node to complete the handshake, a remote node could trigger a nil pointer dereference (leading to a panic) when the node attempted to drop the Handshake packet number space. An attacker can bring down a quic-go node with very minimal effort. Completing the QUIC handshake only requires sending and receiving a few packets. Version 0.37.3 contains a patch. Versions before 0.37.0 are not affected.","modified":"2026-04-27T18:43:22.146551Z","published":"2023-10-31T16:15:00Z","upstream":["CVE-2023-46239"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-46239"},{"type":"REPORT","url":"https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h"},{"type":"REPORT","url":"https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2023-46239"}],"affected":[{"package":{"name":"golang-github-lucas-clemente-quic-go","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/golang-github-lucas-clemente-quic-go@0.25.0-1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.18.0-3","0.24.0-1","0.25.0-1"],"ecosystem_specific":{"binaries":[{"binary_name":"golang-github-lucas-clemente-quic-go-dev","binary_version":"0.25.0-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-46239.json"}},{"package":{"name":"golang-github-lucas-clemente-quic-go","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/golang-github-lucas-clemente-quic-go@0.38.2-1?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.37.4-1","0.38.2-1"],"ecosystem_specific":{"binaries":[{"binary_name":"golang-github-lucas-clemente-quic-go-dev","binary_version":"0.38.2-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-46239.json"}},{"package":{"name":"golang-github-lucas-clemente-quic-go","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/golang-github-lucas-clemente-quic-go@0.50.1-2?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.50.0-1","0.50.1-2"],"ecosystem_specific":{"binaries":[{"binary_name":"golang-github-lucas-clemente-quic-go-dev","binary_version":"0.50.1-2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-46239.json"}},{"package":{"name":"golang-github-lucas-clemente-quic-go","ecosystem":"Ubuntu:26.04","purl":"pkg:deb/ubuntu/golang-github-lucas-clemente-quic-go@0.59.0-2?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.50.1-2","0.59.0-2"],"ecosystem_specific":{"binaries":[{"binary_name":"golang-github-lucas-clemente-quic-go-dev","binary_version":"0.59.0-2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-46239.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]}