Microsoft QUIC Stack DoS via Unvalidated Input: CVE-2023-36435 October 2023

Microsoft QUIC Stack DoS via Unvalidated Input
CVE-2023-36435 Published on October 10, 2023

Microsoft QUIC Denial of Service Vulnerability
Microsoft QUIC Denial of Service Vulnerability

Weakness Type

What is a Resource Exhaustion Vulnerability?

The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVE-2023-36435 has been classified to as a Resource Exhaustion vulnerability or weakness.

Products Associated with CVE-2023-36435

Want to know whenever a new CVE is published for Microsoft products? stack.watch will email you.

Affected Versions

Version 7.3.0 and below 7.3.9 is affected.

Version 10.0.20348.0 and below 10.0.20348.2031 is affected.

Version 10.0.0 and below 10.0.22000.2538 is affected.

Version 10.0.22621.0 and below 10.0.22621.2428 is affected.

Version 7.0.0 and below 7.0.13 is affected.

Vulnerable Packages

The following package name and versions may be associated with CVE-2023-36435

Package Manager	Vulnerable Package	Versions	Fixed In
nuget	Microsoft.Native.Quic.MsQuic.OpenSSL	< 2.2.3	2.2.3
nuget	Microsoft.Native.Quic.MsQuic.Schannel	< 2.2.3	2.2.3

Package Manager

Vulnerable Package

Versions

Fixed In

nuget

Microsoft.Native.Quic.MsQuic.OpenSSL

< 2.2.3

2.2.3

nuget

Microsoft.Native.Quic.MsQuic.Schannel

< 2.2.3

2.2.3

Exploit Probability

EPSS

2.84%

Percentile

86.16%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.