CVE-2024-32650

Summary

Rustls is a modern TLS library written in Rust. rustls::ConnectionCommon::complete_io could fall into an infinite loop based on network input. When using a blocking rustls server, if a client send a close_notify message immediately after client_hello, the server's complete_io will get in an infinite loop. This vulnerability is fixed in 0.23.5, 0.22.4, and 0.21.11.

Affected Software

VendorProductVersion RangeStatus
rustlsrustls>= 0.23.0, < 0.23.5affected
rustlsrustls>= 0.22.0, < 0.22.4affected
rustlsrustls>= 0.21.0, < 0.21.11affected
rustlsrustls= 0.20.0affected

Weaknesses

  • CWE-835: CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References