Security Advisory Description When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory. (CVE-2024-34161) Note: This issue affects NGINX systems compiled with the ngx_http_v3_module module, where the configuration contains a listen directive with the quic option enabled. The HTTP/3 QUIC module is considered an experimental feature and is not compiled by default in NGINX OSS, but it is compiled by default in NGINX Plus. For more information, refer to Support for QUIC and HTTP/3. Impact This vulnerability allows a remote unauthenticated attacker to cause leakage of previously freed memory. The potentially leaked memory is random, cannot be controlled by the attacker, and does not include NGINX configuration or private keys. There is no control plane exposure; this is a data plane issue…Read More