CVE-2026-40170
Published: 16 April 2026
Summary
CVE-2026-40170 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Tatsuhiro-T Ngtcp2. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-40170 is a stack buffer overflow vulnerability in ngtcp2, a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, the function ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When the qlog callback is enabled, this flaw allows writes beyond the buffer boundary if sufficiently large transport parameters are received.
A remote, unauthenticated attacker can exploit this vulnerability by sending oversized transport parameters during the QUIC handshake to a vulnerable ngtcp2 deployment that processes untrusted peer parameters with qlog enabled. Successful exploitation results in a stack buffer overflow, leading to application crashes and potential denial of service, as indicated by the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and associated CWE-121 (Stack-based Buffer Overflow).
The issue is addressed in ngtcp2 version 1.22.1, where bounds checking was added to prevent overflows. Developers unable to upgrade immediately can mitigate by disabling the qlog callback, particularly on clients. Official advisories and the fixing commit are available via ngtcp2's GitHub security page and related announcements.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23302
Vulnerability details
ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog is enabled, a remote peer can send sufficiently large…
more
transport parameters during the QUIC handshake to cause writes beyond the buffer boundary, resulting in a stack buffer overflow. This affects deployments that enable the qlog callback and process untrusted peer transport parameters. This issue has been fixed in version 1.22.1. If developers are unable to immediately upgrade, they can disable the qlog on client.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The remote unauthenticated stack buffer overflow in the public-facing ngtcp2 QUIC library directly enables T1190 (Exploit Public-Facing Application) during handshake and T1499.004 (Application or System Exploitation) to cause crashes/DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the stack buffer overflow by requiring timely remediation through upgrading ngtcp2 to version 1.22.1 where bounds checking was added.
Requires bounds checking and validation of untrusted peer transport parameters prior to serialization into the fixed stack buffer during QUIC handshake.
Implements memory protections such as stack canaries or guard pages to mitigate exploitation of the stack buffer overflow leading to crashes.