CVE-2024-22189 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2024-22189 Interim 1 13 2025-10-05T00:24:52Z current 2024-04-08T23:10:04Z 2025-10-05T00:24:52Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2024-22189 quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of `NEW_CONNECTION_ID` frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a `RETIRE_CONNECTION_ID` frame. The attacker can prevent the receiver from sending out (the vast majority of) these `RETIRE_CONNECTION_ID` frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. Version 0.42.0 contains a patch for the issue. No known workarounds are available. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4POHOO6U2FW5XKZT7HPGZAJF7LQQW3W4/ E-Mail link for openSUSE-SU-2024:0211-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QNDMJCVODSMOIFD655EHBVQRLNUDXLQK/ E-Mail link for openSUSE-SU-2024:0220-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2JLUFKCHWHJJ2MQ6XRREF7D4OOWB23V2/ E-Mail link for openSUSE-SU-2024:0319-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Package Hub 15 SP5 SUSE Package Hub 15 SP6 openSUSE Leap 15.5 openSUSE Leap 15.6 openSUSE Tumbleweed caddy-2.8.4-1.1 caddy-2.8.4-bp155.2.3.1 caddy-2.8.4-bp156.3.3.1 caddy-bash-completion-2.8.4-bp155.2.3.1 caddy-bash-completion-2.8.4-bp156.3.3.1 caddy-fish-completion-2.8.4-bp155.2.3.1 caddy-fish-completion-2.8.4-bp156.3.3.1 caddy-zsh-completion-2.8.4-bp155.2.3.1 caddy-zsh-completion-2.8.4-bp156.3.3.1 coredns-1.11.1-5.1 coredns-1.11.3-bp156.4.3.1 coredns-extras-1.11.1-5.1 coredns-extras-1.11.3-bp156.4.3.1 golang-github-v2fly-v2ray-core-5.15.1-1.1 golang-github-v2fly-v2ray-core-5.33.0-bp156.2.3.1 kubo-0.27.0-2.1 kubo-0.32.1-bp156.2.3.1 syncthing-1.27.6-1.1 syncthing-relaysrv-1.27.6-1.1 v2ray-core-5.15.1-1.1 v2ray-core-5.33.0-bp156.2.3.1 caddy-2.8.4-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 caddy-bash-completion-2.8.4-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 caddy-fish-completion-2.8.4-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 caddy-zsh-completion-2.8.4-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 caddy-2.8.4-bp156.3.3.1 as a component of SUSE Package Hub 15 SP6 caddy-bash-completion-2.8.4-bp156.3.3.1 as a component of SUSE Package Hub 15 SP6 caddy-fish-completion-2.8.4-bp156.3.3.1 as a component of SUSE Package Hub 15 SP6 caddy-zsh-completion-2.8.4-bp156.3.3.1 as a component of SUSE Package Hub 15 SP6 coredns-1.11.3-bp156.4.3.1 as a component of SUSE Package Hub 15 SP6 coredns-extras-1.11.3-bp156.4.3.1 as a component of SUSE Package Hub 15 SP6 golang-github-v2fly-v2ray-core-5.33.0-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 kubo-0.32.1-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 v2ray-core-5.33.0-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 caddy-2.8.4-bp155.2.3.1 as a component of openSUSE Leap 15.5 caddy-bash-completion-2.8.4-bp155.2.3.1 as a component of openSUSE Leap 15.5 caddy-fish-completion-2.8.4-bp155.2.3.1 as a component of openSUSE Leap 15.5 caddy-zsh-completion-2.8.4-bp155.2.3.1 as a component of openSUSE Leap 15.5 caddy-2.8.4-bp156.3.3.1 as a component of openSUSE Leap 15.6 caddy-bash-completion-2.8.4-bp156.3.3.1 as a component of openSUSE Leap 15.6 caddy-fish-completion-2.8.4-bp156.3.3.1 as a component of openSUSE Leap 15.6 caddy-zsh-completion-2.8.4-bp156.3.3.1 as a component of openSUSE Leap 15.6 coredns-1.11.3-bp156.4.3.1 as a component of openSUSE Leap 15.6 coredns-extras-1.11.3-bp156.4.3.1 as a component of openSUSE Leap 15.6 golang-github-v2fly-v2ray-core-5.33.0-bp156.2.3.1 as a component of openSUSE Leap 15.6 kubo-0.32.1-bp156.2.3.1 as a component of openSUSE Leap 15.6 v2ray-core-5.33.0-bp156.2.3.1 as a component of openSUSE Leap 15.6 caddy-2.8.4-1.1 as a component of openSUSE Tumbleweed coredns-1.11.1-5.1 as a component of openSUSE Tumbleweed coredns-extras-1.11.1-5.1 as a component of openSUSE Tumbleweed golang-github-v2fly-v2ray-core-5.15.1-1.1 as a component of openSUSE Tumbleweed kubo-0.27.0-2.1 as a component of openSUSE Tumbleweed syncthing-1.27.6-1.1 as a component of openSUSE Tumbleweed syncthing-relaysrv-1.27.6-1.1 as a component of openSUSE Tumbleweed v2ray-core-5.15.1-1.1 as a component of openSUSE Tumbleweed quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of `NEW_CONNECTION_ID` frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a `RETIRE_CONNECTION_ID` frame. The attacker can prevent the receiver from sending out (the vast majority of) these `RETIRE_CONNECTION_ID` frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. Version 0.42.0 contains a patch for the issue. No known workarounds are available. CVE-2024-22189 SUSE Package Hub 15 SP5:caddy-2.8.4-bp155.2.3.1 SUSE Package Hub 15 SP5:caddy-bash-completion-2.8.4-bp155.2.3.1 SUSE Package Hub 15 SP5:caddy-fish-completion-2.8.4-bp155.2.3.1 SUSE Package Hub 15 SP5:caddy-zsh-completion-2.8.4-bp155.2.3.1 SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1 SUSE Package Hub 15 SP6:caddy-bash-completion-2.8.4-bp156.3.3.1 SUSE Package Hub 15 SP6:caddy-fish-completion-2.8.4-bp156.3.3.1 SUSE Package Hub 15 SP6:caddy-zsh-completion-2.8.4-bp156.3.3.1 SUSE Package Hub 15 SP6:coredns-1.11.3-bp156.4.3.1 SUSE Package Hub 15 SP6:coredns-extras-1.11.3-bp156.4.3.1 SUSE Package Hub 15 SP6:golang-github-v2fly-v2ray-core-5.33.0-bp156.2.3.1 SUSE Package Hub 15 SP6:kubo-0.32.1-bp156.2.3.1 SUSE Package Hub 15 SP6:v2ray-core-5.33.0-bp156.2.3.1 openSUSE Leap 15.5:caddy-2.8.4-bp155.2.3.1 openSUSE Leap 15.5:caddy-bash-completion-2.8.4-bp155.2.3.1 openSUSE Leap 15.5:caddy-fish-completion-2.8.4-bp155.2.3.1 openSUSE Leap 15.5:caddy-zsh-completion-2.8.4-bp155.2.3.1 openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1 openSUSE Leap 15.6:caddy-bash-completion-2.8.4-bp156.3.3.1 openSUSE Leap 15.6:caddy-fish-completion-2.8.4-bp156.3.3.1 openSUSE Leap 15.6:caddy-zsh-completion-2.8.4-bp156.3.3.1 openSUSE Leap 15.6:coredns-1.11.3-bp156.4.3.1 openSUSE Leap 15.6:coredns-extras-1.11.3-bp156.4.3.1 openSUSE Leap 15.6:golang-github-v2fly-v2ray-core-5.33.0-bp156.2.3.1 openSUSE Leap 15.6:kubo-0.32.1-bp156.2.3.1 openSUSE Leap 15.6:v2ray-core-5.33.0-bp156.2.3.1 openSUSE Tumbleweed:caddy-2.8.4-1.1 openSUSE Tumbleweed:coredns-1.11.1-5.1 openSUSE Tumbleweed:coredns-extras-1.11.1-5.1 openSUSE Tumbleweed:golang-github-v2fly-v2ray-core-5.15.1-1.1 openSUSE Tumbleweed:kubo-0.27.0-2.1 openSUSE Tumbleweed:syncthing-1.27.6-1.1 openSUSE Tumbleweed:syncthing-relaysrv-1.27.6-1.1 openSUSE Tumbleweed:v2ray-core-5.15.1-1.1 important 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H