{"id":"GO-2024-2682","summary":"Denial of service via connection starvation in github.com/quic-go/quic-go","details":"An attacker can cause its peer to run out of memory by sending a large number of NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRE_CONNECTION_ID frame. The attacker can prevent the receiver from sending out (the vast majority of) these RETIRE_CONNECTION_ID frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate.","aliases":["CVE-2024-22189","GHSA-c33x-xqrf-c478"],"modified":"2026-03-17T04:49:08.396062Z","published":"2024-04-05T16:53:41Z","related":["CGA-5cg8-j3ff-f9wv"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2024-2682"},"references":[{"type":"FIX","url":"https://github.com/quic-go/quic-go/commit/4a99b816ae3ab03ae5449d15aac45147c85ed47a"},{"type":"WEB","url":"https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management"}],"affected":[{"package":{"name":"github.com/quic-go/quic-go","ecosystem":"Go","purl":"pkg:golang/github.com/quic-go/quic-go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.42.0"}]}],"ecosystem_specific":{"imports":[{"symbols":["Dial","DialAddr","DialAddrEarly","DialEarly","Listen","ListenAddr","ListenAddrEarly","ListenEarly","Transport.Dial","Transport.DialEarly","Transport.Listen","Transport.ListenEarly","connIDGenerator.Retire","connIDGenerator.SetMaxActiveConnIDs","connIDManager.Add","connIDManager.Get","connection.AcceptStream","connection.AcceptUniStream","connection.OpenStream","connection.OpenStreamSync","connection.OpenUniStream","connection.OpenUniStreamSync","connection.run","framerI.AppendStreamFrames","framerI.QueueControlFrame","packetPacker.AppendPacket","packetPacker.MaybePackProbePacket","packetPacker.PackAckOnlyPacket","packetPacker.PackApplicationClose","packetPacker.PackCoalescedPacket","packetPacker.PackConnectionClose","packetPacker.PackMTUProbePacket","receiveStream.CancelRead","receiveStream.CloseRemote","receiveStream.Read","sendStream.CancelWrite","streamsMap.AcceptStream","streamsMap.AcceptUniStream","streamsMap.DeleteStream","streamsMap.HandleMaxStreamsFrame","streamsMap.OpenStream","streamsMap.OpenStreamSync","streamsMap.OpenUniStream","streamsMap.OpenUniStreamSync","streamsMap.UpdateLimits","windowUpdateQueue.QueueAll"],"path":"github.com/quic-go/quic-go"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2682.json"}}],"schema_version":"1.7.5","credits":[{"name":"marten-seemann"}]}