Login Sign Up

CVE-2024-11738

5.3 MEDIUM
Denial of Service

📋 TL;DR

A vulnerability in Rustls 0.23.13 and related APIs allows denial of service through a panic when processing fragmented TLS ClientHello messages. This affects any system using vulnerable Rustls versions for TLS connections. The vulnerability can be triggered by sending specially crafted TLS handshake messages.

💻 Affected Systems

Products:
  • Rustls
  • Applications using Rustls library
Versions: Rustls 0.23.13 and related APIs
Operating Systems: All platforms running Rustls
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using Rustls for TLS connections is vulnerable regardless of configuration.

📦 What is this software?

Rustls by Rustls Project

View all CVEs affecting Rustls →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption through panic/crash of Rustls applications, potentially affecting availability of TLS-dependent services.

🟠

Likely Case

Intermittent service disruptions affecting TLS connections, requiring application restarts to recover.

🟢

If Mitigated

Minimal impact if applications have proper restart mechanisms and monitoring in place.

🌐 Internet-Facing: HIGH - Internet-facing services using Rustls are directly exposed to crafted TLS connections from any source.
🏢 Internal Only: MEDIUM - Internal services could be affected by malicious internal actors or compromised systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW - Requires sending crafted TLS ClientHello messages.

Exploitation requires network access to TLS endpoints but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Rustls 0.23.14 or later

Vendor Advisory: https://github.com/advisories/GHSA-qg5g-gv98-5ffh

Restart Required: Yes

Instructions:

1. Update Rustls dependency to version 0.23.14 or later. 2. Rebuild and redeploy affected applications. 3. Restart services using Rustls.

🔧 Temporary Workarounds

Network filtering

all

Implement network filtering to block fragmented TLS ClientHello messages.

Load balancer protection

all

Configure load balancers to inspect and filter suspicious TLS handshake patterns.

🧯 If You Can't Patch

  • Implement rate limiting on TLS connections to reduce attack surface
  • Deploy application monitoring with automatic restart capabilities for crash detection

🔍 How to Verify

Check if Vulnerable:

Check Rustls version in Cargo.toml or via 'cargo tree | grep rustls' for version 0.23.13.

Check Version:

cargo tree | grep rustls

Verify Fix Applied:

Verify Rustls version is 0.23.14 or later using 'cargo tree | grep rustls'.

📡 Detection & Monitoring

Log Indicators:

  • Application panic/crash logs mentioning Rustls
  • Unexpected service restarts of TLS-dependent applications

Network Indicators:

  • Unusual patterns of fragmented TLS ClientHello messages
  • Multiple failed TLS handshake attempts

SIEM Query:

source="application.logs" AND ("panic" OR "crash") AND "rustls"

📊 Metadata

CVE ID: CVE-2024-11738
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-248
Published: December 6, 2024
Last Updated: July 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11738, you might also want to check these:

CVE-2024-42037 9.3

This vulnerability involves uncaught exceptions in the Graphics module that could allow attackers to...

Same vulnerability type (CWE-248)
CVE-2025-67647 9.1

SvelteKit versions 2.19.0 through 2.49.4 are vulnerable to server-side request forgery (SSRF) and de...

Same vulnerability type (CWE-248)
CVE-2023-20086 8.6

An unauthenticated remote attacker can send crafted ICMPv6 messages to Cisco ASA or FTD devices with...

Same vulnerability type (CWE-248)