CVE-2024-24990: When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests...

The analysis started by fetching content from the provided URLs. The F5 advisory link was not functional. The oss-security mailing list provided crucial information, pinpointing the vulnerability to the ngx_http_v3_module in Nginx versions 1.25.0 - 1.25.3, with a fix in 1.25.4. Since direct commit URLs were unavailable, repository tags were fetched for nginx/nginx. The commits between 'release-1.25.3' (last vulnerable) and 'release-1.25.4' (first fixed) were compared. Two specific commits, 5818f8a6693b3c0d95021f2ee58b69dcf848911c and 5902baf680609f884a1e11ff2b82a0bffb3724cc, were identified as directly addressing issues within the QUIC implementation that align with the vulnerability description (worker process crash, use-after-free). The commit messages and diffs for these commits confirmed that ngx_quic_stream_cleanup_handler and ngx_quic_decrypt were modified to fix use-after-free and segfault issues, respectively. These functions are therefore identified as the vulnerable functions.