CVE-2024-35200: 
NGINX vulnerability analysis and mitigation

CVE-2024-35200 is a security vulnerability affecting NGINX Plus and NGINX Open Source Software (OSS) when configured to use the HTTP/3 QUIC module. The vulnerability was discovered by Nils Bars of CISPA and disclosed on May 29, 2024. The affected versions include NGINX 1.25.0 through 1.25.5 and 1.26.0 (NGINX Announce).

The vulnerability is classified as a NULL Pointer Dereference (CWE-476) with a CVSS v3.1 base score of 5.3 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

When exploited, this vulnerability can cause NGINX worker processes to terminate, potentially leading to service disruption. The vulnerability only affects installations where NGINX is compiled with the experimental ngxhttpv3_module and the 'quic' option of the 'listen' directive is used in the configuration file (NGINX Announce).

The vulnerability has been fixed in NGINX versions 1.26.1 and 1.27.0. Organizations running affected versions should upgrade to these patched versions. For systems where immediate upgrading is not possible, disabling the HTTP/3 QUIC module can serve as a temporary mitigation measure (Fedora Advisory).