CVE-2024-32650

Publication date 19 April 2024

Last updated 11 July 2025

Ubuntu priority

Cvss 3 Severity Score

Description

Rustls is a modern TLS library written in Rust. `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input. When using a blocking rustls server, if a client send a `close_notify` message immediately after `client_hello`, the server's `complete_io` will get in an infinite loop. This vulnerability is fixed in 0.23.5, 0.22.4, and 0.21.11.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
rust-rustls	25.10 questing	Needs evaluation
	25.04 plucky	Ignored end of life, was needs-triage
	24.10 oracular	Ignored end of life, was needs-triage
	24.04 LTS noble	Needs evaluation
	23.10 mantic	Ignored end of life, was needs-triage
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Not in release
rust-rustls-0.20	25.10 questing	Not in release
	25.04 plucky	Not in release
	24.10 oracular	Not in release
	24.04 LTS noble	Not in release
	23.10 mantic	Ignored end of life, was needs-triage
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Not in release

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
rust-rustls	Upstream: 2123576 Upstream: 6e938bc Upstream: f45664f

Severity score breakdown

Parameter	Value
Base score	7.5 · High
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	None
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2024-32650

Cvss 3 Severity Score

Description

Status

Patch details

Severity score breakdown

References

Other references

Access our resources on patching vulnerabilities