Vulnerabilities > CVE-2024-34161 - Use After Free vulnerability in multiple products

CVSS 5.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

LOW

Integrity impact

NONE

Availability impact

NONE

network

low complexity

fedoraproject

CWE-416

NVD

Published: 2024-05-29

Updated: 2025-01-24

Summary

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory.

Vulnerable Configurations

Part	Description	Count
Application	F5 F5 Nginx Plus R30 F5 Nginx Plus R31 F5 Nginx Open Source 1.25.0 F5 Nginx Open Source 1.25.1 F5 Nginx Open Source 1.25.2 F5 Nginx Open Source 1.25.3 F5 Nginx Open Source 1.25.4	10
OS	Fedoraproject Fedoraproject Fedora 39 Fedoraproject Fedora 40	2

Common Weakness Enumeration (CWE)

CWE-416 - Use After Free

References

http://www.openwall.com/lists/oss-security/2024/05/30/4
http://www.openwall.com/lists/oss-security/2024/05/30/4
https://lists.fedoraproject.org/archives/list/[email protected]/message/MLAOKJWDALQZBIV3WKGPJ6T5Z56D3PRD/
https://lists.fedoraproject.org/archives/list/[email protected]/message/MLAOKJWDALQZBIV3WKGPJ6T5Z56D3PRD/
https://lists.fedoraproject.org/archives/list/[email protected]/message/R7RPLWC35WHEUFCGKNFG62ESNID25TEZ/
https://lists.fedoraproject.org/archives/list/[email protected]/message/R7RPLWC35WHEUFCGKNFG62ESNID25TEZ/
https://my.f5.com/manage/s/article/K000139627
https://my.f5.com/manage/s/article/K000139627