CVE-2023-46239: 
Chainguard vulnerability analysis and mitigation

CVE-2023-46239 affects quic-go, an implementation of the QUIC protocol in Go. The vulnerability was discovered in versions 0.37.0 through 0.37.2, with a patch released in version 0.37.3. The issue involves a nil pointer dereference that can be triggered when an ACK frame is serialized after the CRYPTO frame during handshake completion (GitHub Advisory).

The vulnerability is caused by an unexpected frame serialization order during the handshake process. Specifically, when an ACK frame is serialized after the CRYPTO frame that completes the handshake, it can trigger a nil pointer dereference when the node attempts to drop the Handshake packet number space. The issue has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability allows an attacker to cause a denial of service by triggering a panic in the affected quic-go node. The attack requires minimal effort, as it can be executed by simply completing the QUIC handshake, which involves sending and receiving only a few packets (GitHub Advisory).

The vulnerability has been patched in quic-go version 0.37.3. Users should upgrade to this version or later to mitigate the issue. Versions prior to 0.37.0 are not affected by this vulnerability (GitHub Advisory).