CVE-2026-40170 ngtcp2 CVE debrief

Who should care

Teams running ngtcp2 in QUIC deployments, especially any environment that enables qlog and processes peer-supplied transport parameters during handshakes. Client-side integrations are specifically called out for interim mitigation.

Technical summary

ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. In versions prior to 1.22.1, an untrusted peer can supply oversized transport parameters during the QUIC handshake and cause a stack buffer overflow when qlog is enabled. The issue is mapped to CWE-121 and has CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Defensive priority

High priority for any exposed deployment with qlog enabled. Upgrade to a fixed release promptly, and treat client-side qlog disablement as the immediate risk-reduction step if upgrading is delayed.

Recommended defensive actions

• Upgrade ngtcp2 to version 1.22.1 or later as soon as possible.
• If you cannot upgrade immediately, disable qlog on clients per the vendor guidance.
• Inventory deployments to confirm where qlog is enabled and where untrusted peer transport parameters are processed.
• Validate that all embedded or bundled ngtcp2 copies are also updated, not just system packages.
• Re-test QUIC handshake paths after patching to confirm qlog behavior is still aligned with operational requirements.

Evidence notes

CVE publishedAt is 2026-04-16T22:16:38.220Z, with a later NVD modification on 2026-05-21T19:35:19.783Z. The supplied NVD record lists CVSS 3.1 as AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and notes CWE-121. The referenced GitHub advisory and commit indicate the fix landed in ngtcp2 1.22.1, and the advisory text includes the client-side qlog disablement mitigation.

Official resources