Primary

Context

Facebook mvfst Heap-Buffer-Overflow Vulnerability in QUIC Session

Vulnerability

A heap-buffer-overflow vulnerability has been identified in Facebook's mvfst library, specifically in versions from v2025.03.24.00 prior to v2025.07.07.00. The vulnerability can be triggered by a specially crafted message during a QUIC session, potentially leading to memory corruption.

Impact

Exploitation of this vulnerability can result in a heap-buffer overflow, which may allow for arbitrary code execution or cause a denial-of-service condition by crashing the application.

Reproduction

The vulnerability can be reproduced by sending a specially crafted message during a QUIC session while using an affected version of the mvfst library. This can be done by creating a QUIC connection and transmitting a message that exploits the heap-buffer-overflow vulnerability, such as one that exceeds the buffer's capacity.

Remediation

Users can upgrade to mvfst version v2025.07.07.00 or later to address this vulnerability.

Added: Jul 11, 2025, 7:44 PM

Updated: Jul 11, 2025, 8:22 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

7.7

remediation

7.7

relevance

0.2

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

7.7

remediation

7.7

relevance

0.2

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Facebook mvfst Heap-Buffer-Overflow Vulnerability in QUIC Session

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Facebook mvfst

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating