CVE-2024-32974 Overview
CVE-2024-32974 is a use-after-free vulnerability in Envoy, the cloud-native open source edge and service proxy. The flaw resides in EnvoyQuicServerStream::OnInitialHeadersComplete() and is triggered when QUICHE continues pushing request headers after StopReading() has been called on the stream. After StopReading(), the HTTP Connection Manager's (HCM) ActiveStream may already be destroyed, so any upcalls from QUICHE can dereference freed memory. Remote, unauthenticated attackers can crash the proxy by sending crafted QUIC traffic, producing a denial-of-service condition on a critical network component [CWE-416].
Critical Impact
Remote attackers can crash Envoy proxies over the network without authentication, disrupting all traffic served by the affected instance.
Affected Products
- Envoyproxy Envoy (multiple versions prior to fixed releases)
- Deployments using QUIC/HTTP3 listeners
- Service meshes and edge gateways built on Envoy
Discovery Timeline
- 2024-06-04 - CVE-2024-32974 published to the National Vulnerability Database (NVD)
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-32974
Vulnerability Analysis
The defect is a use-after-free in Envoy's QUIC server stream handler. When a stream calls StopReading(), the upstream HCM ActiveStream object can be torn down. QUICHE, the underlying QUIC/HTTP3 library, does not honor this state change for in-flight header processing. It continues to deliver headers to EnvoyQuicServerStream::OnInitialHeadersComplete(), which then operates on a destroyed ActiveStream. The result is memory access to freed objects, leading to a process crash.
The vulnerability impacts availability only. Confidentiality and integrity remain intact because no attacker-controlled memory is read back or written to disk. However, since Envoy commonly fronts large numbers of services, a single malicious peer can take down a shared ingress.
Root Cause
The root cause is a lifecycle mismatch between QUICHE and Envoy's HCM. StopReading() informs Envoy that no further header data should be consumed, but QUICHE keeps the callback chain active. The contract between the two layers fails to guarantee that header callbacks stop firing before the dependent ActiveStream is released.
Attack Vector
An unauthenticated remote attacker sends a QUIC request that triggers conditions causing Envoy to call StopReading() on the stream while additional initial headers remain queued in QUICHE. When QUICHE delivers those headers, the callback dereferences freed memory in OnInitialHeadersComplete(), crashing the worker. Refer to the GitHub Security Advisory GHSA-mgxp-7hhp-8299 for upstream technical details.
Detection Methods for CVE-2024-32974
Indicators of Compromise
- Unexpected Envoy worker process crashes or SIGSEGV signals on hosts terminating QUIC traffic
- Stack traces referencing EnvoyQuicServerStream::OnInitialHeadersComplete
- Sudden drops in QUIC/HTTP3 listener availability or connection resets to clients
- Repeated short-lived QUIC connections from a single source preceding crashes
Detection Strategies
- Monitor Envoy admin /stats endpoints for increases in server.hot_restart_epoch or worker restarts
- Alert on segmentation faults in container logs for Envoy processes
- Inspect QUIC listener metrics for abnormal header-processing patterns or premature stream resets
Monitoring Recommendations
- Forward Envoy crash logs and core dump metadata to a centralized logging platform for correlation
- Track HTTP3/QUIC error rates and tie them to source IPs to identify abusive peers
- Establish baselines for worker uptime and alert on regressions following deployment of new client populations
How to Mitigate CVE-2024-32974
Immediate Actions Required
- Upgrade Envoy to a patched release as listed in the upstream security advisory
- Inventory all Envoy deployments, including service mesh sidecars and standalone gateways, to confirm version coverage
- If immediate patching is not possible, disable QUIC/HTTP3 listeners until the upgrade can be applied
Patch Information
The Envoy maintainers released fixes addressing the QUICHE callback lifecycle. Patched versions and exact release identifiers are documented in the Envoy GitHub Security Advisory GHSA-mgxp-7hhp-8299. Apply the latest maintenance release for your supported branch.
Workarounds
- Disable QUIC/HTTP3 listeners in envoy.yaml and serve clients over TCP-based HTTP/2 until patched
- Place rate limiting or upstream filtering in front of QUIC endpoints to reduce exposure to abusive peers
- Restrict QUIC access at the network edge to known client ranges where feasible
# Configuration example: disable a QUIC listener until patched
# Remove or comment the udp_listener_config block that enables QUIC
static_resources:
listeners:
- name: listener_https
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 443
# udp_listener_config:
# quic_options: {}
# downstream_socket_config:
# prefer_gro: true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
