CVE-2021-24029

Summary

A packet of death scenario is possible in mvfst via a specially crafted message during a QUIC session, which causes a crash via a failed assertion. Per QUIC specification, this particular message should be treated as a connection error. This issue affects mvfst versions prior to commit a67083ff4b8dcbb7ee2839da6338032030d712b0 and proxygen versions prior to v2021.03.15.00.

Affected Software

VendorProductVersion RangeStatus
Facebookmvfsta67083ff4b8dcbb7ee2839da6338032030d712b0 < unspecifiedunaffected
Facebookmvfstunspecified < a67083ff4b8dcbb7ee2839da6338032030d712b0affected
Facebookproxygenv2021.03.15.00 < unspecifiedunaffected
Facebookproxygenunspecified < v2021.03.15.00affected

Weaknesses

  • CWE-617: Reachable Assertion (CWE-617)

ADP Enrichment

CVE Program Container

Additional References

References