{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40170", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T19:31:56.015Z", "datePublished": "2026-04-16T21:34:07.610Z", "dateUpdated": "2026-04-16T21:34:07.610Z"}, "containers": {"cna": {"title": "ngtcp2 has a qlog transport parameter serialization stack buffer overflow", "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "lang": "en", "description": "CWE-121: Stack-based Buffer Overflow", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ngtcp2/ngtcp2/security/advisories/GHSA-f523-465f-8c8f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ngtcp2/ngtcp2/security/advisories/GHSA-f523-465f-8c8f"}, {"name": "https://github.com/ngtcp2/ngtcp2/commit/708a7640c1f48fb8ffb540c4b8ea5b4c1dfb8ee5", "tags": ["x_refsource_MISC"], "url": "https://github.com/ngtcp2/ngtcp2/commit/708a7640c1f48fb8ffb540c4b8ea5b4c1dfb8ee5"}], "affected": [{"vendor": "ngtcp2", "product": "ngtcp2", "versions": [{"version": "< 1.22.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-16T21:34:07.610Z"}, "descriptions": [{"lang": "en", "value": "ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog is enabled, a remote peer can send sufficiently large transport parameters during the QUIC handshake to cause writes beyond the buffer boundary, resulting in a stack buffer overflow. This affects deployments that enable the qlog callback and process untrusted peer transport parameters. This issue has been fixed in version 1.22.1. If developers are unable to immediately upgrade, they can disable the qlog on client."}], "source": {"advisory": "GHSA-f523-465f-8c8f", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog is enabled, a remote peer can send sufficiently large transport parameters during the QUIC handshake to cause writes beyond the buffer boundary, resulting in a stack buffer overflow. This affects deployments that enable the qlog callback and process untrusted peer transport parameters. This issue has been fixed in version 1.22.1. If developers are unable to immediately upgrade, they can disable the qlog on client."}], "id": "CVE-2026-40170", "lastModified": "2026-04-16T22:16:38.220", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-16T22:16:38.220", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/ngtcp2/ngtcp2/commit/708a7640c1f48fb8ffb540c4b8ea5b4c1dfb8ee5"}, {"source": "security-advisories@github.com", "url": "https://github.com/ngtcp2/ngtcp2/security/advisories/GHSA-f523-465f-8c8f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.22.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ngtcp2", "source": "cna", "vendor": "ngtcp2"}, "product": "ngtcp2", "vendor": "ngtcp2"}], "analysis": {"en": {"generated_at": "2026-04-17T03:21:33.259587+00:00", "value": {"mitigation_remediation": ["Upgrade ngtcp2 to version\u00a01.22.1 or later to eliminate the vulnerability.", "If an immediate upgrade is not possible, disable the qlog callback on the client side to prevent processing of untrusted transport parameters.", "Monitor connection logs for unusually large transport parameters or abnormal handshake behavior that could indicate an attempt to exploit the overflow."], "summary": {"action": "Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in every ngtcp2 build older than version\u00a01.22.1 when qlog is enabled. All deployments that use ngtcp2 and have the qlog feature active are affected. The fix was included in ngtcp2\u00a01.22.1 and later.", "description_and_impact": "ngtcp2 is a C implementation of the QUIC protocol. In all releases prior to 1.22.1, the function that logs transport parameters serializes peer data into a fixed 1024\u2011byte stack buffer without performing bounds checking. When the qlog callback is enabled, a remote peer can send transport parameters that exceed the buffer size during the QUIC handshake, causing writes beyond the buffer boundary. Based on the description, it is inferred that this stack buffer overflow could corrupt memory and potentially allow an attacker to execute arbitrary code, although such exploitation is not proven.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity. No EPSS score is available and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation would require a remote peer to initiate a QUIC connection, enable qlog, and transmit transport parameters that overflow the stack buffer. An attacker who successfully triggers the overflow could corrupt memory and potentially gain code execution or disrupt service."}}}}, "created": "2026-04-16T23:30:04.077758+00:00", "updated": "2026-04-17T03:30:08.587977+00:00", "vendors": ["ngtcp2", "ngtcp2$PRODUCT$ngtcp2"]}