ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog is enabled, a remote peer can send sufficiently large transport parameters during the QUIC handshake to cause writes beyond the buffer boundary, resulting in a stack buffer overflow. This affects deployments that enable the qlog callback and process untrusted peer transport parameters. This issue has been fixed in version 1.22.1. If developers are unable to immediately upgrade, they can disable the qlog on client.

The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:25049 advisory.

    * samba: Missing access check on reparse point operations (CVE-2026-1933)

    * samba: vfs_worm does not block directory modification (CVE-2026-2340)

    * samba: group policy certificate enrollment uses http:// without validation (CVE-2026-3012)

    * samba: Samba: Remote Code Execution in printing subsystem via unescaped job description (CVE-2026-4480)

    * ngtcp2: ngtcp2: Denial of service via stack buffer overflow during QUIC handshake (CVE-2026-40170)

    * samba: Remote Code Execution in SAMR (CVE-2026-4408)

Tenable has extracted the preceding description block directly from the RockyLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:25049 advisory.

    * samba: Missing access check on reparse point operations (CVE-2026-1933)
      * samba: vfs_worm does not block directory modification (CVE-2026-2340)
      * samba: group policy certificate enrollment uses <http://> without validation (CVE-2026-3012)
      * samba: Samba: Remote Code Execution in printing subsystem via unescaped job description     (CVE-2026-4480)
      * ngtcp2: ngtcp2: Denial of service via stack buffer overflow during QUIC handshake (CVE-2026-40170)
      * samba: Remote Code Execution in SAMR (CVE-2026-4408)

Tenable has extracted the preceding description block directly from the AlmaLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote RockyLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:22963 advisory.

    * samba: Missing access check on reparse point operations (CVE-2026-1933)

    * samba: vfs_worm does not block directory modification (CVE-2026-2340)

    * samba: group policy certificate enrollment uses http:// without validation (CVE-2026-3012)

    * samba: Samba: Remote Code Execution in printing subsystem via unescaped job description (CVE-2026-4480)

    * ngtcp2: ngtcp2: Denial of service via stack buffer overflow during QUIC handshake (CVE-2026-40170)

    * samba: Remote Code Execution in SAMR (CVE-2026-4408)

Tenable has extracted the preceding description block directly from the RockyLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:25049 advisory.

    Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common     Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and     various information.

    Security Fix(es):

    * samba: Missing access check on reparse point operations (CVE-2026-1933)

    * samba: vfs_worm does not block directory modification (CVE-2026-2340)

    * samba: group policy certificate enrollment uses http:// without validation (CVE-2026-3012)

    * samba: Samba: Remote Code Execution in printing subsystem via unescaped job description (CVE-2026-4480)

    * ngtcp2: ngtcp2: Denial of service via stack buffer overflow during QUIC handshake (CVE-2026-40170)

    * samba: Remote Code Execution in SAMR (CVE-2026-4408)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:22963 advisory.

    Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common     Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and     various information.

    Security Fix(es):

    * samba: Missing access check on reparse point operations (CVE-2026-1933)

    * samba: vfs_worm does not block directory modification (CVE-2026-2340)

    * samba: group policy certificate enrollment uses http:// without validation (CVE-2026-3012)

    * samba: Samba: Remote Code Execution in printing subsystem via unescaped job description (CVE-2026-4480)

    * ngtcp2: ngtcp2: Denial of service via stack buffer overflow during QUIC handshake (CVE-2026-40170)

    * samba: Remote Code Execution in SAMR (CVE-2026-4408)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:22963 advisory.

    * samba: Missing access check on reparse point operations (CVE-2026-1933)
      * samba: vfs_worm does not block directory modification (CVE-2026-2340)
      * samba: group policy certificate enrollment uses <http://> without validation (CVE-2026-3012)
      * samba: Samba: Remote Code Execution in printing subsystem via unescaped job description     (CVE-2026-4480)
      * ngtcp2: ngtcp2: Denial of service via stack buffer overflow during QUIC handshake (CVE-2026-40170)
      * samba: Remote Code Execution in SAMR (CVE-2026-4408)

Tenable has extracted the preceding description block directly from the AlmaLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-8300-1 advisory.

    Zou Dikai discovered that ngtcp2 serialized peer transport parameters into a fixed 1024-byte stack buffer     without bounds checking. When qlog was enabled, a remote attacker could possibly use this issue to execute     arbitrary code.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1633 advisory.

    ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1,     ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte     stack buffer without bounds checking. When qlog is enabled, a remote peer can send sufficiently large     transport parameters during the QUIC handshake to cause writes beyond the buffer boundary, resulting in a     stack buffer overflow. This affects deployments that enable the qlog callback and process untrusted peer     transport parameters. This issue has been fixed in version 1.22.1. If developers are unable to immediately     upgrade, they can disable the qlog on client. (CVE-2026-40170)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-705eb9cf95 advisory.

    # Update to 1.22.1 (rhbz#2452790)

    - Fixes     [CVE-2026-40170](https://github.com/ngtcp2/ngtcp2/security/advisories/GHSA-f523-465f-8c8f)

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-a0f25484e9 advisory.

    # Update to 1.22.1 (rhbz#2452790)

    - Fixes     [CVE-2026-40170](https://github.com/ngtcp2/ngtcp2/security/advisories/GHSA-f523-465f-8c8f)

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 12 / 13 host has packages installed that are affected by a vulnerability as referenced in the dsa-6222 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6222-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     April 21, 2026                        https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : ngtcp2     CVE ID         : CVE-2026-40170

    Zou Dikai discovered a buffer overflow in ngtcp2, a QUIC protocol library.

    For the oldstable distribution (bookworm), this problem has been fixed     in version 0.12.1+dfsg-1+deb12u1.

    For the stable distribution (trixie), this problem has been fixed in     version 1.11.0-1+deb13u1.

    We recommend that you upgrade your ngtcp2 packages.

    For the detailed security status of ngtcp2 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/ngtcp2

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
320953	RockyLinux 9 : samba (RLSA-2026:25049)	Nessus	Rocky Linux Local Security Checks	critical
320648	AlmaLinux 9 : samba (ALSA-2026:25049)	Nessus	Alma Linux Local Security Checks	critical
320610	RockyLinux 10 : samba (RLSA-2026:22963)	Nessus	Rocky Linux Local Security Checks	critical
320371	RHEL 9 : samba (RHSA-2026:25049)	Nessus	Red Hat Local Security Checks	critical
319544	RHEL 10 : samba (RHSA-2026:22963)	Nessus	Red Hat Local Security Checks	critical
318615	AlmaLinux 10 : samba (ALSA-2026:22963)	Nessus	Alma Linux Local Security Checks	critical
316735	Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : ngtcp2 vulnerability (USN-8300-1)	Nessus	Ubuntu Local Security Checks	high
311300	Amazon Linux 2023 : ngtcp2, ngtcp2-crypto-gnutls, ngtcp2-crypto-gnutls-devel (ALAS2023-2026-1633)	Nessus	Amazon Linux Local Security Checks	high
310589	Fedora 44 : ngtcp2 (2026-705eb9cf95)	Nessus	Fedora Local Security Checks	high
310577	Fedora 43 : ngtcp2 (2026-a0f25484e9)	Nessus	Fedora Local Security Checks	high
309081	Debian dsa-6222 : libngtcp2-16 - security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2026-40170

high

Tenable Plugins

critical

critical

critical

critical

critical

critical

high

high

high

high

high