CVE-2026-40170
Modified Modified - Updated After Analysis

Stack Buffer Overflow in ngtcp2 QUIC Transport Parameters

Vulnerability report for CVE-2026-40170, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-16

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog is enabled, a remote peer can send sufficiently large transport parameters during the QUIC handshake to cause writes beyond the buffer boundary, resulting in a stack buffer overflow. This affects deployments that enable the qlog callback and process untrusted peer transport parameters. This issue has been fixed in version 1.22.1. If developers are unable to immediately upgrade, they can disable the qlog on client.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-16
Last Modified
2026-06-30
Generated
2026-07-06
AI Q&A
2026-04-17
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
tatsuhiro-t ngtcp2 to 1.22.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in ngtcp2, a C implementation of the IETF QUIC protocol, in versions prior to 1.22.1. Specifically, the function ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without checking if the data fits within this buffer. When qlog is enabled, a remote peer can send very large transport parameters during the QUIC handshake, causing the function to write beyond the buffer boundary. This results in a stack buffer overflow.

This issue affects deployments that enable the qlog callback and process transport parameters from untrusted peers.

Impact Analysis

The vulnerability can lead to a stack buffer overflow when processing large transport parameters from a remote peer during the QUIC handshake if qlog is enabled. This can cause application crashes or potentially allow an attacker to execute arbitrary code or disrupt service availability.

The CVSS v3.1 base score of 7.5 indicates a high severity impact, with the main impact being on availability (A:H), meaning it can cause denial of service or service disruption.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade ngtcp2 to version 1.22.1 or later where the issue is fixed.

If an immediate upgrade is not possible, you can disable the qlog callback on the client side to prevent processing untrusted peer transport parameters that trigger the buffer overflow.

Compliance Impact

The vulnerability in ngtcp2 involves a stack buffer overflow when processing untrusted peer transport parameters with qlog enabled. This can lead to denial of service or potential exploitation affecting availability.

However, there is no information provided about any impact on confidentiality or integrity of data, nor any direct mention of compliance implications with standards such as GDPR or HIPAA.

Therefore, based on the available information, it is unclear how this vulnerability specifically affects compliance with common standards and regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40170. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart