Skip to content
Hermes Codex

CVE-2026-40170: ngtcp2 stack buffer overflow

Executive Summary

Section titled “Executive Summary”

Analysis indicates a stack-based buffer overflow vulnerability exists in the ngtcp2 library. The flaw, tracked as CVE-2026-40170, resides in the qlog parameter serialization logic. An unauthenticated remote attacker can trigger this condition by sending maliciously crafted transport parameters during the QUIC handshake, provided the application has qlog enabled.

Vulnerability Analysis

Section titled “Vulnerability Analysis”

The vulnerability is located in ngtcp2_qlog_parameters_set_transport_params() within lib/ngtcp2_qlog.c.

I observed that the function utilizes a fixed 1024-byte stack buffer (uint8_t buf[1024]) to store serialized peer transport parameters. Crucially, the implementation lacks comprehensive bounds checking when processing these parameters. When qlog functionality is enabled, the serialization process appends various peer-influenced fields, such as connection IDs and address tokens, to this buffer.

An attacker can supply transport parameters of sufficient size to push the serialization pointer p beyond the 1024-byte boundary. Subsequent write operations, specifically those performed by ngtcp2_encode_hex and other helper functions, result in uncontrolled out-of-bounds writes to the stack memory.

Exploitation

Section titled “Exploitation”

Exploitation requires an application that uses the ngtcp2 library and has qlog enabled (qlog->write != NULL). By initiating a QUIC handshake and providing oversized transport parameters, a remote peer can cause memory corruption.

I have verified the vulnerability using ASAN, which consistently reports a stack-buffer-overflow originating from the function mentioned above. The official mitigation, provided in commit 708a764, increases the buffer size to 2048 bytes; however, this is a stop-gap measure that does not address the underlying lack of strict bounds validation.

Forensic Artifacts

Section titled “Forensic Artifacts”

During forensic analysis of affected systems, look for:

  • Network-level signatures: Handshake packets containing unusually large or malformed QUIC transport parameters.
  • System-level artifacts: Recurring application crashes (SIGSEGV) in binaries linked against the vulnerable version of ngtcp2.
  • Memory/Debugger output: ASAN reports specifically citing stack-buffer-overflow in the ngtcp2_qlog_parameters_set_transport_params call stack.

Mitigation and Detection

Section titled “Mitigation and Detection”

Upgrading to ngtcp2 version 1.22.1 is mandatory to apply the patch. If an immediate upgrade is not feasible, I recommend disabling qlog on the client side.

Detection Logic

Section titled “Detection Logic”

Use the following rules to monitor for exploitation attempts or system instability resulting from this flaw.

Sigma Rule

Section titled “Sigma Rule”
title: Potential ngtcp2 Stack Buffer Overflow Attempt
id: 5a31b26a-465f-8c8f-a2e1-456789012345
status: experimental
description: Detects crashes related to ngtcp2 library processing QUIC handshake parameters.
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/your_application_using_ngtcp2'
    condition: selection and event_id: 1001
level: high

KQL Query

Section titled “KQL Query”
Event
| where EventID == 1001
| where RenderedDescription contains "ngtcp2_qlog_parameters_set_transport_params"
| where RenderedDescription contains "stack-buffer-overflow"
| project TimeGenerated, Computer, RenderedDescription