What is the severity of CVE-2024-34161?

CVE-2024-34161 is considered a memory leak vulnerability that can affect the stability of NGINX when configured with the HTTP/3 QUIC module.

How do I fix CVE-2024-34161?

To mitigate CVE-2024-34161, update NGINX Plus or NGINX OSS to the latest version that does not contain this vulnerability.

Which versions of NGINX are affected by CVE-2024-34161?

CVE-2024-34161 affects NGINX Plus r30 and r31, as well as NGINX OSS versions between 1.25.0 and 1.26.1 inclusive.

What happens if I don't address CVE-2024-34161?

Failing to address CVE-2024-34161 may lead to increased memory usage and potential process crashes due to memory leaks.

Is CVE-2024-34161 a potential exploit for attackers?

While CVE-2024-34161 itself is a memory leak vulnerability, it can be exploited under specific conditions, potentially allowing for denial of service.

Vulnerability/
CVE-2024-34161

medium

5.3

CWE

416

29/5/2024

24/1/2025

CVE-2024-34161: NGINX HTTP/3 QUIC vulnerability

First published: Wed May 29 2024(Updated: )

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory.

Credit: f5sirt@f5.com

Affected Software	Affected Version	How to fix
NGINX Plus
NGINX Open Source
Nginx	>=1.25.0<1.26.1
Nginx	=r30
Nginx	=r30-p1
Nginx	=r30-p2
Nginx	=r31
Nginx	=r31-p1
Fedora	=39
Fedora	=40

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-34161?
CVE-2024-34161 is considered a memory leak vulnerability that can affect the stability of NGINX when configured with the HTTP/3 QUIC module.
How do I fix CVE-2024-34161?
To mitigate CVE-2024-34161, update NGINX Plus or NGINX OSS to the latest version that does not contain this vulnerability.
Which versions of NGINX are affected by CVE-2024-34161?
CVE-2024-34161 affects NGINX Plus r30 and r31, as well as NGINX OSS versions between 1.25.0 and 1.26.1 inclusive.
What happens if I don't address CVE-2024-34161?
Failing to address CVE-2024-34161 may lead to increased memory usage and potential process crashes due to memory leaks.
Is CVE-2024-34161 a potential exploit for attackers?
While CVE-2024-34161 itself is a memory leak vulnerability, it can be exploited under specific conditions, potentially allowing for denial of service.

agent/weakness
agent/title
agent/first-publish-date
agent/description
agent/type
agent/severity
agent/author
agent/event
agent/references
collector/mitre-cve
source/MITRE
agent/source
agent/trending
agent/last-modified-date
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
agent/tags
agent/softwarecombine
collector/nvd-api
source/NVD
vendor/nginx
canonical/nginx plus
canonical/nginx open source
vendor/f5
canonical/nginx
version/nginx/1.25.0
version/nginx/r30
version/nginx/r30-p1
version/nginx/r30-p2
version/nginx/r31
version/nginx/r31-p1
vendor/fedoraproject
canonical/fedora
version/fedora/39
version/fedora/40

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.