{"id":"UBUNTU-CVE-2024-32650","details":"Rustls is a modern TLS library written in Rust. `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input. When using a blocking rustls server, if a client send a `close_notify` message immediately after `client_hello`, the server's `complete_io` will get in an infinite loop. This vulnerability is fixed in 0.23.5, 0.22.4, and 0.21.11.","modified":"2026-01-20T19:11:34.414821Z","published":"2024-04-19T16:15:00Z","upstream":["CVE-2024-32650"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-32650"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2024-32650"},{"type":"REPORT","url":"https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj"}],"affected":[{"package":{"name":"rust-rustls","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/rust-rustls@0.21.10-1?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.21.6-3","0.21.7-1","0.21.9-1","0.21.10-1"],"ecosystem_specific":{"binaries":[{"binary_name":"librust-rustls-dev","binary_version":"0.21.10-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-32650.json"}},{"package":{"name":"rust-rustls","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/rust-rustls@0.23.26+ds-1?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.23.25+ds-1","0.23.26+ds-1"],"ecosystem_specific":{"binaries":[{"binary_name":"librust-rustls-dev","binary_version":"0.23.26+ds-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-32650.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]}