7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-2x7m-gf85-3745

GHSA-2x7m-gf85-3745: Remote Denial of Service Vulnerability in Microsoft QUIC

Impact

The MsQuic server will continue to leak memory until no more is available, resulting in a denial of service.

Patches

The following patch was made:

Fix Memory Leak from Multiple Decodes of TP - https://github.com/microsoft/msquic/commit/5d070d661c45979946615289e92bb6b822efe9e9

Workarounds

Beyond upgrading to the patched versions, there is no other workaround.

MSRC CVE Info

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26190

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-2x7m-gf85-3745

GHSA-2x7m-gf85-3745:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Microsoft.Native.Quic.MsQuic.OpenSSL	nuget	< 2.1.12	2.1.12
Microsoft.Native.Quic.MsQuic.Schannel	nuget	>= 2.2.0, < 2.2.7	2.2.7
Microsoft.Native.Quic.MsQuic.Schannel	nuget	>= 2.3.0, < 2.3.5	2.3.5
Microsoft.Native.Quic.MsQuic.Schannel	nuget	< 2.1.12	2.1.12
Microsoft.Native.Quic.MsQuic.OpenSSL	nuget	>= 2.2.0, < 2.2.7	2.2.7
Microsoft.Native.Quic.MsQuic.OpenSSL	nuget	>= 2.3.0, < 2.3.5	2.3.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper memory management of retired Connection IDs (CIDs). The unpatched QuicConnRetireCid() function did not enforce a limit on retired CIDs (no RetiredDestCidCount tracking), allowing attackers to exhaust memory. The unpatched QuicLossDetectionOnPacketAcknowledged() function failed to decrement the retired CID counter when freeing memory, preventing proper cleanup. The patch adds RetiredDestCidCount tracking/limits in QuicConnRetireCid and counter decrements in QuicLossDetectionOnPacketAcknowledged, directly addressing the memory leak mechanism described in CWE-401.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-2x7m-gf85-3745: Remote Denial of Service Vulnerability in Microsoft QUIC

Impact

Patches

Workarounds

MSRC CVE Info

GHSA-2x7m-gf85-3745:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

7.5

7.5

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-2x7m-gf85-3745: Remote Denial of Service Vulnerability in Microsoft QUIC

Impact

Patches

Workarounds

MSRC CVE Info

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI