CVE-2024-22189: quic-go QUIC Protocol DoS Vulnerability

CVE-2024-22189 Overview

CVE-2024-22189 is a memory exhaustion vulnerability in quic-go, a Go implementation of the QUIC transport protocol. Versions prior to 0.42.0 allow a remote attacker to exhaust peer memory by flooding the connection with NEW_CONNECTION_ID frames that retire old connection IDs. The receiver must respond with RETIRE_CONNECTION_ID frames, but attackers can suppress these responses by collapsing the congestion window and manipulating the round-trip time (RTT) estimate. The flaw maps to [CWE-770: Allocation of Resources Without Limits or Throttling]. Maintainers released a patch in version 0.42.0.

Critical Impact

Unauthenticated remote attackers can trigger denial of service through unbounded memory growth on any peer running quic-go prior to 0.42.0.

Affected Products

• quic-go versions prior to 0.42.0
• Applications and servers embedding the quic-go library for QUIC or HTTP/3 transport
• Go-based services that expose QUIC endpoints to untrusted networks

Discovery Timeline

• 2024-04-04 - CVE-2024-22189 published to the National Vulnerability Database
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2024-22189

Vulnerability Analysis

The QUIC protocol uses connection IDs to route packets across path changes. The NEW_CONNECTION_ID frame advertises new identifiers to a peer, and the Retire Prior To field instructs the peer to retire previously issued IDs. Each retirement must be acknowledged with a RETIRE_CONNECTION_ID frame.

In quic-go versions prior to 0.42.0, the implementation queued retirement responses without bounding their growth when transmission stalled. An attacker sending a high volume of NEW_CONNECTION_ID frames forces the peer to allocate state for each retirement that has not yet been sent.

The attacker amplifies the condition by selectively acknowledging packets to collapse the peer's congestion window. Manipulating the RTT estimate further slows the peer's transmission of RETIRE_CONNECTION_ID frames. The queue grows unbounded until the process exhausts available memory.

Root Cause

The root cause is the absence of an upper bound on queued RETIRE_CONNECTION_ID frames awaiting transmission. The implementation trusted the peer to send NEW_CONNECTION_ID frames at a sustainable rate. No allocation limit existed for the retirement queue when send progress stalled, satisfying the conditions described in [CWE-770].

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. Any peer reachable over QUIC can be targeted. The exploit relies on two protocol primitives an attacker controls: the rate of NEW_CONNECTION_ID frames and the acknowledgment behavior used to drive the victim's congestion controller and RTT estimator. Detailed exploitation mechanics are documented in the Seemann Blog Exploit Analysis and the GitHub Security Advisory GHSA-c33x-xqrf-c478.

Detection Methods for CVE-2024-22189

Indicators of Compromise

• Sustained high rates of inbound NEW_CONNECTION_ID frames from a single remote endpoint on QUIC/UDP port 443 or other QUIC listeners.
• Process memory growth in services linking quic-go versions below 0.42.0 that correlates with active QUIC sessions.
• Asymmetric acknowledgment patterns where the peer acknowledges only selected packets, suppressing congestion window growth.

Detection Strategies

• Monitor QUIC connection state for outbound RETIRE_CONNECTION_ID queue depth and alert when the queue exceeds expected steady-state values.
• Profile resident set size (RSS) of QUIC-enabled processes and trigger on rapid growth tied to a small number of remote peers.
• Inspect dependency manifests (go.mod, go.sum) to identify services pinned to quic-go versions prior to 0.42.0.

Monitoring Recommendations

• Capture QUIC connection telemetry including frame type counts, congestion window size, and RTT samples per peer.
• Forward host-level memory and process metrics to a centralized analytics platform for correlation against network telemetry.
• Alert on process termination by the OOM killer for services exposing QUIC listeners.

How to Mitigate CVE-2024-22189

Immediate Actions Required

• Upgrade quic-go to version 0.42.0 or later in all affected services and rebuild dependent binaries.
• Inventory internal and third-party Go services exposing QUIC or HTTP/3 to confirm dependency versions.
• Apply per-peer rate limits or connection quotas on QUIC listeners at the network edge until patched builds are deployed.

Patch Information

The fix is included in quic-go version 0.42.0. Review the upstream change in the GitHub Commit 4a99b816 and the GitHub Security Advisory GHSA-c33x-xqrf-c478. The patch bounds the queue of pending RETIRE_CONNECTION_ID frames so that peer-driven retirements cannot grow memory without limit.

Workarounds

• No application-level workarounds are documented by the maintainers; upgrading to 0.42.0 is the supported remediation.
• Restrict exposure of QUIC endpoints to trusted networks or behind authenticated gateways where feasible.
• Enforce strict process memory limits (for example, cgroupmemory.max) so that exhaustion attempts terminate the affected process instead of impacting the host.