Description
ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog is enabled, a remote peer can send sufficiently large transport parameters during the QUIC handshake to cause writes beyond the buffer boundary, resulting in a stack buffer overflow. This affects deployments that enable the qlog callback and process untrusted peer transport parameters. This issue has been fixed in version 1.22.1. If developers are unable to immediately upgrade, they can disable the qlog on client.
Published: 2026-04-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

ngtcp2 is a C implementation of the QUIC protocol. In all releases prior to 1.22.1, the function that logs transport parameters serializes peer data into a fixed 1024‑byte stack buffer without performing bounds checking. When the qlog callback is enabled, a remote peer can send transport parameters that exceed the buffer size during the QUIC handshake, causing writes beyond the buffer boundary. Based on the description, it is inferred that this stack buffer overflow could corrupt memory and potentially allow an attacker to execute arbitrary code, although such exploitation is not proven.

Affected Systems

The vulnerability is present in every ngtcp2 build older than version 1.22.1 when qlog is enabled. All deployments that use ngtcp2 and have the qlog feature active are affected. The fix was included in ngtcp2 1.22.1 and later.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. The EPSS score is < 1%, indicating a very low but non‑zero exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation would require a remote peer to initiate a QUIC connection, enable qlog, and transmit transport parameters that overflow the stack buffer. An attacker who successfully triggers the overflow could corrupt memory and potentially gain code execution or disrupt service.

Generated by OpenCVE AI on April 18, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ngtcp2 to version 1.22.1 or later to eliminate the vulnerability.
  • If an immediate upgrade is not possible, disable the qlog callback on the client side to prevent processing of untrusted transport parameters.
  • Monitor connection logs for unusually large transport parameters or abnormal handshake behavior that could indicate an attempt to exploit the overflow.

Generated by OpenCVE AI on April 18, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 17 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Thu, 16 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Ngtcp2
Ngtcp2 ngtcp2
Vendors & Products Ngtcp2
Ngtcp2 ngtcp2

Thu, 16 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog is enabled, a remote peer can send sufficiently large transport parameters during the QUIC handshake to cause writes beyond the buffer boundary, resulting in a stack buffer overflow. This affects deployments that enable the qlog callback and process untrusted peer transport parameters. This issue has been fixed in version 1.22.1. If developers are unable to immediately upgrade, they can disable the qlog on client.
Title ngtcp2 has a qlog transport parameter serialization stack buffer overflow
Weaknesses CWE-121
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Ngtcp2 Ngtcp2
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-17T18:17:35.758Z

Reserved: 2026-04-09T19:31:56.015Z

Link: CVE-2026-40170

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-16T22:16:38.220

Modified: 2026-04-17T19:16:37.763

Link: CVE-2026-40170

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-16T21:34:07Z

Links: CVE-2026-40170 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:30:08Z

Weaknesses