Cyber Resilience

CVE-2026-40170

HighPublic PoCUpdated

Published: 16 April 2026

Published
16 April 2026
Modified
22 May 2026
KEV Added
Patch
17 April 2026
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 6.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40170 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Tatsuhiro-T Ngtcp2. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-40170 is a stack buffer overflow vulnerability in ngtcp2, a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, the function ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When the qlog callback is enabled, this flaw allows writes beyond the buffer boundary if sufficiently large transport parameters are received.

A remote, unauthenticated attacker can exploit this vulnerability by sending oversized transport parameters during the QUIC handshake to a vulnerable ngtcp2 deployment that processes untrusted peer parameters with qlog enabled. Successful exploitation results in a stack buffer overflow, leading to application crashes and potential denial of service, as indicated by the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and associated CWE-121 (Stack-based Buffer Overflow).

The issue is addressed in ngtcp2 version 1.22.1, where bounds checking was added to prevent overflows. Developers unable to upgrade immediately can mitigate by disabling the qlog callback, particularly on clients. Official advisories and the fixing commit are available via ngtcp2's GitHub security page and related announcements.

EU & UK References

Vulnerability details

ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog is enabled, a remote peer can send sufficiently large…

more

transport parameters during the QUIC handshake to cause writes beyond the buffer boundary, resulting in a stack buffer overflow. This affects deployments that enable the qlog callback and process untrusted peer transport parameters. This issue has been fixed in version 1.22.1. If developers are unable to immediately upgrade, they can disable the qlog on client.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The remote unauthenticated stack buffer overflow in the public-facing ngtcp2 QUIC library directly enables T1190 (Exploit Public-Facing Application) during handshake and T1499.004 (Application or System Exploitation) to cause crashes/DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-43661Shared CWE-121
CVE-2025-70249Shared CWE-121
CVE-2025-70744Shared CWE-121
CVE-2025-50662Shared CWE-121
CVE-2026-33307Shared CWE-121
CVE-2025-70644Shared CWE-121
CVE-2025-70243Shared CWE-121
CVE-2025-70648Shared CWE-121
CVE-2025-71019Shared CWE-121
CVE-2025-70656Shared CWE-121

Affected Assets

tatsuhiro-t
ngtcp2
≤ 1.22.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the stack buffer overflow by requiring timely remediation through upgrading ngtcp2 to version 1.22.1 where bounds checking was added.

prevent

Requires bounds checking and validation of untrusted peer transport parameters prior to serialization into the fixed stack buffer during QUIC handshake.

prevent

Implements memory protections such as stack canaries or guard pages to mitigate exploitation of the stack buffer overflow leading to crashes.

References