CVE-2026-40170
Stack Buffer Overflow in ngtcp2 QUIC Transport Parameters
Publication date: 2026-04-16
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ngtcp2 | ngtcp2 | to 1.22.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in ngtcp2, a C implementation of the IETF QUIC protocol, in versions prior to 1.22.1. Specifically, the function ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without checking if the data fits within this buffer. When qlog is enabled, a remote peer can send very large transport parameters during the QUIC handshake, causing the function to write beyond the buffer boundary. This results in a stack buffer overflow.
This issue affects deployments that enable the qlog callback and process transport parameters from untrusted peers.
How can this vulnerability impact me? :
The vulnerability can lead to a stack buffer overflow when processing large transport parameters from a remote peer during the QUIC handshake if qlog is enabled. This can cause application crashes or potentially allow an attacker to execute arbitrary code or disrupt service availability.
The CVSS v3.1 base score of 7.5 indicates a high severity impact, with the main impact being on availability (A:H), meaning it can cause denial of service or service disruption.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade ngtcp2 to version 1.22.1 or later where the issue is fixed.
If an immediate upgrade is not possible, you can disable the qlog callback on the client side to prevent processing untrusted peer transport parameters that trigger the buffer overflow.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in ngtcp2 involves a stack buffer overflow when processing untrusted peer transport parameters with qlog enabled. This can lead to denial of service or potential exploitation affecting availability.
However, there is no information provided about any impact on confidentiality or integrity of data, nor any direct mention of compliance implications with standards such as GDPR or HIPAA.
Therefore, based on the available information, it is unclear how this vulnerability specifically affects compliance with common standards and regulations.