CVE-2024-24990 in NGINX Plus
Summary
by MITRE • 02/14/2024
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate.
Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html .
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/27/2026
The vulnerability identified as CVE-2024-24990 represents a critical stability issue within NGINX Plus and NGINX Open Source software when utilizing the experimental HTTP/3 QUIC module. This flaw manifests as an unexpected termination of NGINX worker processes when handling undisclosed requests, creating a potential denial of service condition that could severely impact web server availability and performance. The vulnerability specifically affects systems where the QUIC module has been explicitly enabled, as the module is not activated by default and remains in experimental status according to official NGINX documentation. The undisclosed nature of the specific request patterns that trigger this behavior suggests either a complex parsing issue or a buffer overflow condition within the QUIC implementation that causes the worker processes to crash unpredictably.
From a technical perspective, this vulnerability aligns with CWE-119, which addresses improper access to memory locations, and potentially CWE-476, concerning null pointer dereferences that could occur during QUIC protocol handling. The issue demonstrates characteristics consistent with a memory corruption vulnerability where malformed or specially crafted QUIC requests can cause the worker processes to encounter invalid memory access patterns. The QUIC protocol implementation within NGINX appears to lack proper input validation or error handling mechanisms when processing certain request sequences, leading to process termination rather than graceful error recovery. This behavior violates fundamental security principles that require systems to fail gracefully rather than catastrophically, as outlined in the NIST Cybersecurity Framework's resilience requirements.
The operational impact of CVE-2024-24990 extends beyond simple service disruption, as it can lead to cascading failures within web infrastructure that relies on NGINX for HTTP/3 termination. When worker processes terminate unexpectedly, the NGINX master process must restart these components, causing temporary service interruption and potential loss of in-flight requests. This vulnerability particularly affects organizations implementing HTTP/3 services, as the experimental nature of the QUIC module means many security teams may not have adequate monitoring or incident response procedures in place for such scenarios. The risk is amplified in high-traffic environments where process restarts can cause significant performance degradation and may trigger additional resource exhaustion conditions.
Mitigation strategies for this vulnerability should prioritize immediate disabling of the QUIC module in affected systems until a patched version becomes available, aligning with the principle of least privilege and minimal attack surface. Organizations should implement comprehensive monitoring for worker process restarts and establish alerting mechanisms that can detect unusual termination patterns. The ATT&CK framework's T1499.004 technique for network denial of service should be considered when developing incident response procedures, as this vulnerability could be exploited by malicious actors to create sustained availability issues. Security teams should also conduct thorough testing of patched versions in controlled environments before deployment, given the experimental nature of the QUIC module and potential compatibility issues. Additionally, implementing rate limiting and request validation mechanisms at the network level can provide additional defense in depth while the permanent fix is being applied across affected infrastructure.