A buffer overflow vulnerability (CVE-2026-40170, CVSS 7.5 HIGH) was discovered in the ngtcp2 QUIC protocol library. For Debian bookworm, the issue is fixed in version 0.12.1+dfsg-1+deb12u1, and for trixie, in version 1.11.0-1+deb13u1. Users are advised to upgrade their ngtcp2 packages to these patched versions.
[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index] [SECURITY] [DSA 6222-1] ngtcp2 security update To: debian-security-announce@lists.debian.org Subject: [SECURITY] [DSA 6222-1] ngtcp2 security update From: Moritz Muehlenhoff <jmm@debian.org> Date: Tue, 21 Apr 2026 18:29:01 +0000 Message-id: <[🔎] aefB7cVSbHxPASbt@seger.debian.org> Reply-to: debian-security-announce-request@lists.debian.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-6222-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 21, 2026 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ngtcp2 CVE ID : CVE-2026-40170 Zou Dikai discovered a buffer overflow in ngtcp2, a QUIC protocol library. For the oldstable distribution (bookworm), this problem has been fixed in version 0.12.1+dfsg-1+deb12u1. For the stable distribution (trixie), this problem has been fixed in version 1.11.0-1+deb13u1. We recommend that you upgrade your ngtcp2 packages. For the detailed security status of ngtcp2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ngtcp2 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmnnwK4ACgkQEMKTtsN8 TjZKqQ/+OvmNLaK/5FI5GvNfJaGtUj3f7I1S3mvxbDytdWy/wmyD97lDym6PJjjK yhCtJqKssPdHFvmB6ticeelxFKEXHxcB9QhnIwlFNfFyD2ubc2VXZ5qE73QlxLVg 6YmtSniRgyMyL/nXRv1WLnK6WZAvSMPVG+QdPAyLa60PDGVgyYac8slLhTFGUyz2 VUbi8CreTZtrbOVNm0WedKZFnrqnvJfZ/5l/eqgpxeEod1o2jNwhMdZ4+42kmN6c nraUTKrO0QcfnkXk00AC0BJ6MGZMffCkDyb2qwYZzFTDvjbDZgPXTyT6jYr12re1 uKQ/STEe6ar8vkQFP6RM7PhxNZaCQqn5d7M6o3NzkQm71u5SilqraMUOSLQHUDp0 4ioi5JR2Mh/7VjxKRfjnSGTWRlGm7O3XzqXVSFhk/d22pnF5IYqP1VrHGkce4BGu tDXlRP8mA/QSiobtyuUK9kuQ7danJvmdvJoRoPwS9cW+LQvEAmb3LhSo2zJVjCC/ BZFUYgy2ZK8+CvyYPK1Kcrx5L1yLbVo12xEKturVbHMxbLIxxMBmnCJZeMLY4gff uMjGBqtJBeuqYlXfOFabJ8kED+I4U7ZLrLz0q933hBe3gLyZjzdhwe3FccxZlF0C FCSOs4ProJEDhnUQhq9kdpyee79TWjCGY4nnfwQKpv50Xzs3wiQ= =x7b6 -----END PGP SIGNATURE----- Reply to: debian-security-announce@lists.debian.org Moritz Muehlenhoff (on-list) Moritz Muehlenhoff (off-list) Prev by Date: [SECURITY] [DSA 6221-1] ntfs-3g security update Previous by thread: [SECURITY] [DSA 6221-1] ntfs-3g security update Index(es): Date Thread