CVE-2026-40170 Overview
CVE-2026-40170 is a stack buffer overflow vulnerability in ngtcp2, a C implementation of the IETF QUIC protocol. The vulnerability exists in the ngtcp2_qlog_parameters_set_transport_params() function, which serializes peer transport parameters into a fixed 1024-byte stack buffer without performing proper bounds checking. When qlog is enabled, a remote peer can send sufficiently large transport parameters during the QUIC handshake to cause writes beyond the buffer boundary, resulting in a stack buffer overflow. This vulnerability affects deployments that enable the qlog callback and process untrusted peer transport parameters.
Critical Impact
Remote attackers can trigger a stack buffer overflow by sending oversized transport parameters during QUIC handshake, potentially causing denial of service or memory corruption in systems with qlog enabled.
Affected Products
- ngtcp2 versions prior to 1.22.1
- QUIC implementations using ngtcp2 with qlog callback enabled
- Applications processing untrusted peer transport parameters via ngtcp2
Discovery Timeline
- 2026-04-16 - CVE CVE-2026-40170 published to NVD
- 2026-04-16 - Last updated in NVD database
Technical Details for CVE-2026-40170
Vulnerability Analysis
The vulnerability is classified as CWE-121 (Stack-based Buffer Overflow). The core issue lies in the ngtcp2_qlog_parameters_set_transport_params() function within lib/ngtcp2_qlog.c. This function allocates a fixed 1024-byte stack buffer to serialize incoming transport parameters from a remote QUIC peer. However, the function lacks proper bounds checking before writing data to this buffer.
During a QUIC handshake, transport parameters are exchanged between peers. When qlog functionality is enabled to log these parameters, the vulnerable function attempts to serialize them without validating that the resulting data fits within the allocated stack buffer. A malicious remote peer can craft transport parameters that exceed the 1024-byte limit, causing the function to write beyond the buffer boundary on the stack.
This stack buffer overflow can result in denial of service through application crashes. The network-accessible nature of this vulnerability means it can be triggered remotely by any peer during the QUIC handshake phase, without requiring authentication or user interaction.
Root Cause
The root cause is the use of a fixed-size stack buffer (uint8_t buf[1024]) in ngtcp2_qlog_parameters_set_transport_params() without validating that serialized transport parameters fit within this allocation. The QUIC protocol allows variable-length transport parameters, but the qlog serialization code assumed a maximum size that could be exceeded by malicious input.
Attack Vector
The attack can be executed remotely over the network. An attacker establishes a QUIC connection with a vulnerable server or client that has qlog enabled. During the handshake phase, the attacker sends transport parameters that, when serialized by the qlog function, exceed 1024 bytes. This triggers the stack buffer overflow when the victim's ngtcp2 library processes the oversized parameters. No authentication or special privileges are required, and no user interaction is necessary.
void ngtcp2_qlog_parameters_set_transport_params(
ngtcp2_qlog *qlog, const ngtcp2_transport_params *params, int server,
ngtcp2_qlog_side side) {
- uint8_t buf[1024];
+ uint8_t buf[2048];
uint8_t *p = buf;
const ngtcp2_preferred_addr *paddr;
const ngtcp2_sockaddr_in *sa_in;
Source: GitHub Commit Update
Detection Methods for CVE-2026-40170
Indicators of Compromise
- Abnormal crashes in QUIC-enabled applications with qlog functionality active
- Stack corruption errors or segmentation faults in ngtcp2-based services
- Unusually large QUIC transport parameters observed in network traffic during handshakes
- Core dumps indicating buffer overflow in ngtcp2_qlog_parameters_set_transport_params()
Detection Strategies
- Monitor for application crashes in services using ngtcp2 with qlog enabled during QUIC handshakes
- Implement deep packet inspection to detect QUIC handshakes with abnormally large transport parameter extensions
- Deploy memory safety tools (AddressSanitizer, Valgrind) in testing environments to detect stack buffer overflows
- Review logs for repeated connection attempts followed by service crashes
Monitoring Recommendations
- Configure alerting for unexpected termination of QUIC-enabled services
- Monitor memory usage patterns and stack allocation anomalies in ngtcp2-dependent applications
- Track QUIC connection establishment failures with associated crash signatures
- Implement rate limiting on QUIC handshakes from untrusted sources
How to Mitigate CVE-2026-40170
Immediate Actions Required
- Upgrade ngtcp2 to version 1.22.1 or later immediately
- If immediate upgrade is not possible, disable qlog functionality on affected systems
- Review and limit exposure of QUIC services to untrusted networks
- Apply network-level filtering to rate-limit QUIC connection attempts from unknown sources
Patch Information
The vulnerability has been fixed in ngtcp2 version 1.22.1. The fix increases the stack buffer size from 1024 bytes to 2048 bytes in the ngtcp2_qlog_parameters_set_transport_params() function. The security patch is available in commit 708a7640c1f48fb8ffb540c4b8ea5b4c1dfb8ee5. Organizations should update to version 1.22.1 or later. Additional details are available in the GitHub Security Advisory.
Workarounds
- Disable qlog callback functionality on client and server implementations until patching is complete
- Deploy QUIC services behind network filtering that limits transport parameter sizes
- Implement application-level validation of transport parameter sizes before qlog processing
- Isolate vulnerable QUIC services in sandboxed environments to limit impact of potential exploitation
# Configuration example - disable qlog in ngtcp2 client configuration
# When initializing ngtcp2 connection, omit qlog callback registration
# Before (vulnerable):
# ngtcp2_conn_callbacks callbacks = { .qlog = qlog_callback };
# After (workaround):
# ngtcp2_conn_callbacks callbacks = { .qlog = NULL };
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
