Vulnerability Description
A packet of death scenario is possible in mvfst via a specially crafted message during a QUIC session, which causes a crash via a failed assertion. Per QUIC specification, this particular message should be treated as a connection error. This issue affects mvfst versions prior to commit a67083ff4b8dcbb7ee2839da6338032030d712b0 and proxygen versions prior to v2021.03.15.00.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mvfst | < 2021-03-13 | |
| Proxygen | < 2021.03.15.00 |
Related Weaknesses (CWE)
References
- https://github.com/facebookincubator/mvfst/commit/a67083ff4b8dcbb7ee2839da633803PatchThird Party Advisory
- https://www.facebook.com/security/advisories/cve-2021-24029Vendor Advisory
- https://github.com/facebookincubator/mvfst/commit/a67083ff4b8dcbb7ee2839da633803PatchThird Party Advisory
- https://www.facebook.com/security/advisories/cve-2021-24029Vendor Advisory
FAQ
What is CVE-2021-24029?
CVE-2021-24029 is a vulnerability with a CVSS score of 7.5 (HIGH). A packet of death scenario is possible in mvfst via a specially crafted message during a QUIC session, which causes a crash via a failed assertion. Per QUIC specification, this particular message shou...
How severe is CVE-2021-24029?
CVE-2021-24029 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24029?
Check the references section above for vendor advisories and patch information. Affected products include: Facebook Mvfst, Facebook Proxygen.