CVE-2024-32974: 
NixOS vulnerability analysis and mitigation

A use-after-free vulnerability was discovered in Envoy, a cloud-native open source edge and service proxy, identified as CVE-2024-32974. The vulnerability was found in the EnvoyQuicServerStream::OnInitialHeadersComplete() function, where QUICHE continues to push request headers after StopReading() is called on the stream. This can lead to potential use-after-free issues as the HCM's ActiveStream might have already been destroyed (GitHub Advisory).

The vulnerability occurs when EnvoyQuicServerStream receives a request header referencing a new Qpack dynamic table entry that hasn't arrived yet, followed by a STOP_SENDING frame which triggers StopReading() to drop incoming requests and call HCM reset callback. The subsequent arrival of the Qpack dynamic table entry triggers OnInitialHeadersComplete(), attempting to access the already destroyed HCM ActiveStream object. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH by NVD and 5.9 MEDIUM by GitHub (NVD).

The vulnerability affects Envoy users who have configured HTTP/3 downstream. When exploited, it can lead to application crashes due to use-after-free conditions, potentially affecting service availability (GitHub Advisory).

The vulnerability has been patched in multiple versions of Envoy: 1.30.2, 1.29.5, 1.28.4, and 1.27.6. Users are advised to upgrade to these patched versions to address the security issue (GitHub Advisory).