Platform
c
Component
ngtcp2
Fixed in
1.22.2
CVE-2026-40170 describes a buffer overflow vulnerability affecting the ngtcp2 library, a C implementation of the IETF QUIC protocol. This vulnerability allows a remote attacker to trigger a stack overflow, potentially leading to denial of service or, in more severe cases, code execution. The vulnerability impacts versions 1.0.0 through 1.22.0 of ngtcp2 and has been resolved in version 1.22.1.
The core of the vulnerability lies in the ngtcp2qlogparameterssettransport_params() function, which handles the serialization of peer transport parameters. Critically, it writes these parameters into a fixed-size 1024-byte stack buffer without performing any bounds checking. An attacker can exploit this by crafting a QUIC handshake containing excessively large transport parameters. When the qlog callback is enabled, this oversized data will cause writes beyond the buffer's boundaries, resulting in a stack buffer overflow. Successful exploitation could lead to a denial of service by crashing the ngtcp2 process. While the description doesn't explicitly mention code execution, a stack overflow can, in certain circumstances, be leveraged to overwrite critical program data or even inject malicious code, expanding the potential impact. The severity is amplified in deployments where the qlog callback is enabled and the system processes untrusted peer transport parameters.
CVE-2026-40170 was published on 2026-04-16. Its severity is rated as HIGH (CVSS score 7.5). There is no indication of this vulnerability being actively exploited in the wild at this time, nor is it currently listed on KEV or EPSS. Public proof-of-concept (POC) exploits are not currently available, which reduces the immediate risk, but the potential for exploitation remains if a POC is developed and released.
Exploit Status
EPSS
0.05% (15% percentile)
CVSS Vector
The primary mitigation for CVE-2026-40170 is to upgrade to ngtcp2 version 1.22.1 or later, which includes the fix for this buffer overflow. If upgrading immediately is not feasible, consider disabling the qlog callback feature, as this is a prerequisite for the vulnerability to be triggered. Alternatively, implement input validation on the peer transport parameters received during the QUIC handshake to ensure they remain within acceptable size limits. WAF or proxy rules could be configured to filter out QUIC handshake messages with unusually large transport parameter sizes. Monitor system logs for any crashes or unexpected behavior related to the ngtcp2 process, which could indicate exploitation attempts.
Actualice a la versión 1.22.1 o posterior para evitar el desbordamiento del búfer de la pila. Si no es posible actualizar, desactive la funcionalidad de registro (qlog) en el cliente para mitigar el riesgo.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40170 is a HIGH severity buffer overflow vulnerability in the ngtcp2 library, affecting versions 1.0.0 through 1.22.0. It allows a remote attacker to trigger a stack overflow by sending oversized transport parameters during a QUIC handshake when the qlog callback is enabled.
You are affected if you are using ngtcp2 versions 1.0.0 through 1.22.0 and have the qlog callback enabled, processing untrusted peer transport parameters. Check your ngtcp2 version using ngtcp2 --version.
Upgrade to ngtcp2 version 1.22.1 or later. If immediate upgrade isn't possible, disable the qlog callback or implement input validation on transport parameters.
There is currently no evidence of CVE-2026-40170 being actively exploited in the wild. However, the potential for exploitation exists if a proof-of-concept is developed.
Refer to the ngtcp2 project's official website and GitHub repository for the latest security advisories and updates: https://github.com/ngtcp2/ngtcp2
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.