CVE-2025-29785: 
Linux Debian vulnerability analysis and mitigation

The vulnerability (CVE-2025-29785) affects quic-go, an implementation of the QUIC protocol in Go. The issue was discovered in version v0.50.0 and was disclosed on May 31, 2025. The vulnerability involves a flaw in the loss recovery logic for path probe packets that can lead to a nil-pointer dereference when exploited by a malicious QUIC client (GitHub Advisory).

The vulnerability is caused by a flaw in the path probe packet tracking logic where under certain circumstances involving specific loss and acknowledgment patterns, the system can encounter a nil-pointer dereference. The issue has been assigned a CVSS v3.1 score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network-based attack vector with low complexity and no required privileges or user interaction (GitHub Advisory).

When successfully exploited, the vulnerability leads to a denial of service condition through application crash due to the nil-pointer dereference. The impact is limited to availability, with no direct effect on confidentiality or integrity of the system (GitHub Advisory).

The vulnerability has been patched in version v0.50.1. The patch includes comprehensive testing with random sequences of sent packets (both regular and path probe packets) to ensure all corner cases are covered. No workarounds are available for affected versions, making upgrading to v0.50.1 the only solution (GitHub Advisory).

The vulnerability was initially reported publicly in GitHub issue #4981, where users reported regular crashes after upgrading to version v0.50.0 (GitHub Issue).