ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog is enabled, a remote peer can send sufficiently large transport parameters during the QUIC handshake to cause writes beyond the buffer boundary, resulting in a stack buffer overflow. This affects deployments that enable the qlog callback and process untrusted peer transport parameters. This issue has been fixed in version 1.22.1. If developers are unable to immediately upgrade, they can disable the qlog on client.

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1633 advisory.

    ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1,     ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte     stack buffer without bounds checking. When qlog is enabled, a remote peer can send sufficiently large     transport parameters during the QUIC handshake to cause writes beyond the buffer boundary, resulting in a     stack buffer overflow. This affects deployments that enable the qlog callback and process untrusted peer     transport parameters. This issue has been fixed in version 1.22.1. If developers are unable to immediately     upgrade, they can disable the qlog on client. (CVE-2026-40170)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-705eb9cf95 advisory.

    # Update to 1.22.1 (rhbz#2452790)

    - Fixes     [CVE-2026-40170](https://github.com/ngtcp2/ngtcp2/security/advisories/GHSA-f523-465f-8c8f)

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-a0f25484e9 advisory.

    # Update to 1.22.1 (rhbz#2452790)

    - Fixes     [CVE-2026-40170](https://github.com/ngtcp2/ngtcp2/security/advisories/GHSA-f523-465f-8c8f)

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 12 / 13 host has packages installed that are affected by a vulnerability as referenced in the dsa-6222 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6222-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     April 21, 2026                        https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : ngtcp2     CVE ID         : CVE-2026-40170

    Zou Dikai discovered a buffer overflow in ngtcp2, a QUIC protocol library.

    For the oldstable distribution (bookworm), this problem has been fixed     in version 0.12.1+dfsg-1+deb12u1.

    For the stable distribution (trixie), this problem has been fixed in     version 1.11.0-1+deb13u1.

    We recommend that you upgrade your ngtcp2 packages.

    For the detailed security status of ngtcp2 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/ngtcp2

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1,     ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte     stack buffer without bounds checking. When qlog is enabled, a remote peer can send sufficiently large     transport parameters during the QUIC handshake to cause writes beyond the buffer boundary, resulting in a     stack buffer overflow. This affects deployments that enable the qlog callback and process untrusted peer     transport parameters. This issue has been fixed in version 1.22.1. If developers are unable to immediately     upgrade, they can disable the qlog on client. (CVE-2026-40170)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
311300	Amazon Linux 2023 : ngtcp2, ngtcp2-crypto-gnutls, ngtcp2-crypto-gnutls-devel (ALAS2023-2026-1633)	Nessus	Amazon Linux Local Security Checks	high
310589	Fedora 44 : ngtcp2 (2026-705eb9cf95)	Nessus	Fedora Local Security Checks	high
310577	Fedora 43 : ngtcp2 (2026-a0f25484e9)	Nessus	Fedora Local Security Checks	high
309081	Debian dsa-6222 : libngtcp2-16 - security update	Nessus	Debian Local Security Checks	high
307377	Linux Distros Unpatched Vulnerability : CVE-2026-40170	Nessus	Misc.	high

Detections

Analytics

CVE-2026-40170

high

Tenable Plugins

high

high

high

high

high