HIGH
ngtcp2
CVE published 2026-04-16
CVE-2026-40170
CVE-2026-40170 is a high-severity stack buffer overflow in ngtcp2’s qlog transport-parameter serialization path. When qlog is enabled, a remote peer can send sufficiently large QUIC transport parameters during the handshake and trigger writes beyond a fixed 1024-byte stack buffer. The issue is fixed in ngtcp2 1.22.1, and the vendor advises disabling qlog on clients if immediate upgrading is not possible.