CVE-2024-34161 MEDIUM

CVE-2024-34161: NGINX HTTP/3 QUIC vulnerability

Vendor F5

Product NGINX Open Source

Weakness CWE-416

Published May 29, 2024

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

Description

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory.

Key dates

Disclosure timeline

May 29, 2024 CVE published

February 13, 2025 Record updated

Identifiers

CVE CVE-2024-34161

CWE CWE-416

CVSS 5.3 / MEDIUM

Affected versions

Vendor F5

Product NGINX Open Source

Affected ≥ 1.25.0 and < 1.26.1

Vendor F5

Product NGINX Plus

Affected ≥ R30 and < R32