Login Sign Up

CVE-2023-39322

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in QUIC implementations allows malicious connections to cause unbounded memory growth by sending excessively large post-handshake messages. Systems using affected QUIC libraries or applications are vulnerable to denial-of-service attacks through memory exhaustion.

💻 Affected Systems

Products:
  • Go programming language standard library
  • Applications using Go's net/http or crypto/tls packages with QUIC
Versions: Go versions 1.20.0 through 1.20.9 and 1.21.0 through 1.21.3
Operating Systems: All platforms running affected Go versions
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with QUIC enabled or using QUIC-based protocols

📦 What is this software?

Go by Golang

View all CVEs affecting Go →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system memory exhaustion leading to denial-of-service, potentially affecting multiple services on the same host

🟠

Likely Case

Degraded performance or service disruption for applications using QUIC connections

🟢

If Mitigated

Minimal impact with proper network segmentation and resource limits

🌐 Internet-Facing: HIGH - QUIC is commonly used for internet-facing web services and applications
🏢 Internal Only: MEDIUM - Internal services using QUIC could be exploited by compromised internal systems

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to QUIC endpoints but no authentication

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.20.10, Go 1.21.4, or later

Vendor Advisory: https://pkg.go.dev/vuln/GO-2023-2045

Restart Required: Yes

Instructions:

1. Update Go to version 1.20.10 or 1.21.4+. 2. Recompile affected applications. 3. Restart services using the updated Go runtime.

🔧 Temporary Workarounds

Disable QUIC

all

Disable QUIC protocol support if not required

Configure applications to disable QUIC/HTTP3 support

Resource limits

linux

Implement memory limits and monitoring for QUIC services

Use ulimit -v to set memory limits
Implement container memory limits

🧯 If You Can't Patch

  • Implement network segmentation to isolate QUIC services
  • Deploy rate limiting and connection monitoring for QUIC endpoints

🔍 How to Verify

Check if Vulnerable:

Check Go version with 'go version' and verify if between 1.20.0-1.20.9 or 1.21.0-1.21.3

Check Version:

go version

Verify Fix Applied:

Verify Go version is 1.20.10+ or 1.21.4+ and applications have been recompiled

📡 Detection & Monitoring

Log Indicators:

  • Unusual memory consumption spikes
  • QUIC connection errors or timeouts
  • Process termination due to OOM

Network Indicators:

  • Large QUIC packet sizes (>65KB) in network traffic
  • Excessive QUIC connection attempts

SIEM Query:

source=* ("QUIC" OR "HTTP/3") AND ("memory" OR "OOM" OR "out of memory")

📊 Metadata

CVE ID: CVE-2023-39322
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-770
Published: September 8, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39322, you might also want to check these:

CVE-2024-44241 9.8

This vulnerability in DCP firmware allows attackers to execute arbitrary code or cause system crashe...

Same vulnerability type (CWE-770)
CVE-2025-11832 9.8

This CVE describes a resource allocation vulnerability in Azure Access Technology BLU-IC2 and BLU-IC...

Same vulnerability type (CWE-770)
CVE-2021-47875 9.8

GeoGebra CAS Calculator 6.0.631.0 contains a buffer overflow vulnerability that allows attackers to ...

Same vulnerability type (CWE-770)