CVE-2024-26190 Overview
CVE-2024-26190 is a denial of service vulnerability affecting Microsoft's QUIC protocol implementation. The flaw resides in the MsQuic library used across Windows, Windows Server, .NET, PowerShell, and Visual Studio 2022. Remote, unauthenticated attackers can send crafted QUIC traffic to a vulnerable endpoint to exhaust resources and disrupt service availability. The weakness is classified as [CWE-400] Uncontrolled Resource Consumption. Microsoft published guidance and updates through its Security Response Center on March 12, 2024.
Critical Impact
A network-based attacker can trigger a denial of service condition against any service relying on the affected QUIC stack, taking HTTP/3, SMB over QUIC, and other QUIC-backed workloads offline without authentication or user interaction.
Affected Products
- Microsoft Windows 11 (21H2, 22H2, 23H2) and Windows Server 2022 (including 23H2)
- Microsoft .NET and PowerShell components shipping the affected MsQuic library
- Microsoft Visual Studio 2022
Discovery Timeline
- 2024-03-12 - CVE-2024-26190 published to NVD and Microsoft releases security update
- 2024-12-27 - Last updated in NVD database
Technical Details for CVE-2024-26190
Vulnerability Analysis
The vulnerability affects Microsoft's QUIC (Quick UDP Internet Connections) transport implementation. QUIC is the UDP-based, encrypted transport protocol that underpins HTTP/3 and SMB over QUIC. The MsQuic component ships with Windows, Windows Server, .NET, PowerShell, and Visual Studio 2022.
The flaw is categorized under [CWE-400] Uncontrolled Resource Consumption. An attacker can submit specially crafted QUIC packets that force the server to allocate or process resources disproportionately to the input. Sustained delivery of such packets degrades the service or makes it unresponsive to legitimate clients.
Exploitation requires no authentication, no user interaction, and only network access to a listening QUIC endpoint. Confidentiality and integrity are not impacted, but availability is fully impaired for the targeted service.
Root Cause
The root cause is improper enforcement of resource limits during QUIC connection or packet handling within MsQuic. Specific allocation paths fail to bound the work performed in response to attacker-controlled traffic, allowing CPU, memory, or connection-state exhaustion.
Attack Vector
The attack is delivered over the network using UDP-based QUIC traffic toward any service exposing a QUIC listener. Common targets include HTTP/3 web servers, SMB over QUIC file services, and .NET applications using System.Net.Quic. No prior access to the host is required.
No public proof-of-concept has been released, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Microsoft Security Update CVE-2024-26190 advisory for technical specifics.
Detection Methods for CVE-2024-26190
Indicators of Compromise
- Sudden spikes in inbound UDP traffic on QUIC ports (default UDP/443 for HTTP/3, UDP/443 for SMB over QUIC) from a small set of source addresses.
- Elevated CPU or memory consumption on processes hosting MsQuic such as msquic.dll consumers, IIS with HTTP/3 enabled, or .NET services using System.Net.Quic.
- QUIC connection setup failures, half-open connections, or service timeouts logged by affected applications.
Detection Strategies
- Baseline normal QUIC handshake rates per source IP and alert on statistically significant deviations.
- Correlate UDP/443 traffic volume with process-level resource metrics on hosts running HTTP/3 or SMB over QUIC.
- Inspect Windows Event Logs and application telemetry for repeated QUIC error events or sudden listener restarts.
Monitoring Recommendations
- Enable flow logging on perimeter firewalls and load balancers fronting QUIC services and retain it for trend analysis.
- Monitor patch state of Windows 11, Windows Server 2022, .NET, PowerShell, and Visual Studio 2022 hosts to confirm the March 2024 update is installed.
- Track availability SLOs of QUIC-fronted services so denial of service conditions surface quickly in operational dashboards.
How to Mitigate CVE-2024-26190
Immediate Actions Required
- Apply the March 2024 Microsoft security updates to all affected Windows, Windows Server, .NET, PowerShell, and Visual Studio 2022 installations as described in the Microsoft advisory.
- Inventory services that expose QUIC listeners, including IIS with HTTP/3, SMB over QUIC, and custom System.Net.Quic applications, and prioritize them for patching.
- Place rate limiting in front of QUIC endpoints exposed to untrusted networks until patches are deployed.
Patch Information
Microsoft addressed the vulnerability in the March 12, 2024 security release. Updated MsQuic binaries are delivered through Windows Update for Windows 11 and Windows Server 2022, and through corresponding .NET, PowerShell, and Visual Studio 2022 servicing channels. Consult the Microsoft Security Update CVE-2024-26190 page for the specific build numbers applicable to each product.
Workarounds
- If patching cannot be completed immediately, disable HTTP/3 on affected web servers and restrict SMB over QUIC to trusted client ranges.
- Block inbound UDP/443 at perimeter firewalls for services that do not require external QUIC connectivity.
- Restrict QUIC exposure to known client subnets using network ACLs while patch deployment is scheduled.
# Configuration example: disable HTTP/3 on IIS until patched
# Run in an elevated PowerShell session
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters" `
-Name "EnableHttp3" -Value 0 -PropertyType DWORD -Force
Restart-Service -Name http -Force
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
