Memory exhaustion in QUIC connection handling in crypto/tls

GO-2023-2045 · BIT-golang-2023-39322 · CVE-2023-39322

Published Sep 7, 2023 · Modified Feb 4, 2026

Description

QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth.

With fix, connections now consistently reject messages larger than 65KiB in size.

References

REPORT https://go.dev/issue/62266
FIX https://go.dev/cl/523039
WEB https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes