A stack buffer overflow vulnerability (CVE-2026-40170, CVSS 7.5 HIGH) in ngtcp2 allows remote code execution when qlog is enabled. The flaw exists in versions prior to 1.22.1, where serializing peer transport parameters into a fixed-size buffer lacks bounds checking. The fix requires upgrading ngtcp2 to version 1.22.1.
Ubuntu Security Notices USN-8300-1 USN-8300-1: ngtcp2 vulnerability Publication date 25 May 2026 Overview ngtcp2 could be made to run programs as your login if it received specially crafted network traffic when qlog was enabled. Releases 26.04 LTS 25.10 24.04 LTS 22.04 LTS Open side navigation Close side navigation Packages Details Update instructions References Packages ngtcp2 - RFC9000 QUIC protocol implementation Details Zou Dikai discovered that ngtcp2 serialized peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog was enabled, a remote attacker could possibly use this issue to execute arbitrary code. Zou Dikai discovered that ngtcp2 serialized peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog was enabled, a remote attacker could possibly use this issue to execute arbitrary code. Update instructions In general, a standard system update will make all the necessary changes. Learn more about how to get the fixes. The problem can be corrected by updating your system to the following package versions: Ubuntu Release Package Version 26.04 LTS resolute libngtcp2-16 β 1.16.0-1ubuntu0.1 libngtcp2-crypto-gnutls-dev β 1.16.0-1ubuntu0.1 libngtcp2-crypto-gnutls8 β 1.16.0-1ubuntu0.1 libngtcp2-crypto-ossl-dev β 1.16.0-1ubuntu0.1 libngtcp2-crypto-ossl0 β 1.16.0-1ubuntu0.1 libngtcp2-dev β 1.16.0-1ubuntu0.1 25.10 questing libngtcp2-16 β 1.11.0-1+deb13u1build0.25.10.1 libngtcp2-crypto-gnutls-dev β 1.11.0-1+deb13u1build0.25.10.1 libngtcp2-crypto-gnutls8 β 1.11.0-1+deb13u1build0.25.10.1 libngtcp2-dev β 1.11.0-1+deb13u1build0.25.10.1 ngtcp2-client β 1.11.0-1+deb13u1build0.25.10.1 ngtcp2-server β 1.11.0-1+deb13u1build0.25.10.1 24.04 LTS noble libngtcp2-9 β 0.12.1+dfsg-1+deb12u1build0.24.04.1 libngtcp2-crypto-gnutls-dev β 0.12.1+dfsg-1+deb12u1build0.24.04.1 libngtcp2-crypto-gnutls2 β 0.12.1+dfsg-1+deb12u1build0.24.04.1 libngtcp2-dev β 0.12.1+dfsg-1+deb12u1build0.24.04.1 ngtcp2-client β 0.12.1+dfsg-1+deb12u1build0.24.04.1 ngtcp2-server β 0.12.1+dfsg-1+deb12u1build0.24.04.1 22.04 LTS jammy libngtcp2-0 β 0.1.0+dfsg-1ubuntu0.1~esm1 Ubuntu Pro Fix available with Ubuntu Pro via ESM Apps. A community fix might become publicly available in the future. libngtcp2-crypto-gnutls-dev β 0.1.0+dfsg-1ubuntu0.1~esm1 Ubuntu Pro Fix available with Ubuntu Pro via ESM Apps. A community fix might become publicly available in the future. libngtcp2-crypto-gnutls0 β 0.1.0+dfsg-1ubuntu0.1~esm1 Ubuntu Pro Fix available with Ubuntu Pro via ESM Apps. A community fix might become publicly available in the future. libngtcp2-dev β 0.1.0+dfsg-1ubuntu0.1~esm1 Ubuntu Pro Fix available with Ubuntu Pro via ESM Apps. A community fix might become publicly available in the future. ngtcp2-client β 0.1.0+dfsg-1ubuntu0.1~esm1 Ubuntu Pro Fix available with Ubuntu Pro via ESM Apps. A community fix might become publicly available in the future. ngtcp2-server β 0.1.0+dfsg-1ubuntu0.1~esm1 Ubuntu Pro Fix available with Ubuntu Pro via ESM Apps. A community fix might become publicly available in the future. Reduce your security exposure Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines. Get Ubuntu Pro References CVE-2026-40170 CVE-2026-40170