CVE-2024-22588: Quic Missing Key Discard
QUIC implementations must discard Initial and Handshake encryption keys when they are no longer needed (e.g., when the TLS handshake confirms or finishes). Failure to destroy these keys allows attackers to independently derive Initial keys from public destination Connection IDs and subsequently forge disruption packets to cause a Denial of Service.
Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0
Javaβ
Javaβgreprules fetch cve-2024-22588-quic-missing-key-discard --engine opengrepDescription
QUIC implementations must discard Initial and Handshake encryption keys when they are no longer needed (e.g., when the TLS handshake confirms or finishes). Failure to destroy these keys allows attackers to independently derive Initial keys from public destination Connection IDs and subsequently forge disruption packets to cause a Denial of Service.
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0