CVE-2024-24990 is a high-severity use-after-free vulnerability (CWE-416) affecting F5's NGINX Plus and NGINX OSS products when configured with the HTTP/3 QUIC module. This vulnerability arises because certain undisclosed HTTP/3 QUIC requests can trigger improper memory handling within NGINX worker processes, leading to their termination. The HTTP/3 QUIC module is experimental and not enabled by default, which somewhat limits the exposure surface. However, when enabled, this vulnerability can cause denial of service (DoS) conditions by crashing worker processes, thereby impacting the availability of the web services hosted behind NGINX. The affected versions include NGINX Plus releases R30 and R31. The vulnerability has a CVSS 3.1 base score of 7.5, indicating high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no impact on confidentiality or integrity (C:N/I:N), but high impact on availability (A:H). There are no known exploits in the wild at the time of publication, and no patches have been linked yet. Since the HTTP/3 QUIC module is experimental, this vulnerability may primarily affect early adopters or organizations testing HTTP/3 capabilities in production environments. The use-after-free condition could potentially be leveraged by attackers to cause repeated crashes, resulting in service disruption and denial of access to legitimate users.

For European organizations, the primary impact of CVE-2024-24990 is on service availability. Organizations using NGINX Plus or NGINX OSS with the HTTP/3 QUIC module enabled may experience denial of service due to worker process crashes triggered by crafted HTTP/3 requests. This can disrupt critical web applications, customer-facing portals, or internal services relying on NGINX as a reverse proxy or load balancer. Given the increasing interest in HTTP/3 adoption for performance improvements, some European enterprises, especially in sectors like finance, telecommunications, and e-commerce, may be early adopters and thus at risk. The disruption could lead to operational downtime, loss of customer trust, and potential regulatory scrutiny under EU regulations such as GDPR if service interruptions affect data availability or processing. However, since the vulnerability does not impact confidentiality or integrity, risks related to data breaches are minimal. The lack of required privileges or user interaction means attackers can exploit this remotely and unauthenticated, increasing the threat level. Organizations with high availability requirements must consider this vulnerability seriously to avoid service degradation or outages.

1. Disable the HTTP/3 QUIC module in NGINX Plus or NGINX OSS if it is not explicitly required, as it is experimental and not enabled by default. This eliminates the attack surface for this vulnerability. 2. For organizations requiring HTTP/3, monitor F5 and NGINX advisories closely for patches or updates addressing CVE-2024-24990 and apply them promptly once available. 3. Implement network-level protections such as rate limiting or filtering of HTTP/3 traffic to detect and block anomalous or malformed QUIC requests that could trigger the vulnerability. 4. Deploy robust monitoring and alerting on NGINX worker process health to detect crashes early and enable rapid incident response. 5. Consider isolating NGINX instances running HTTP/3 behind additional layers of security controls or within segmented network zones to limit potential impact. 6. Conduct thorough testing in staging environments before enabling HTTP/3 in production to evaluate stability and security posture. 7. Engage with F5 support or professional services for guidance on secure HTTP/3 deployment and vulnerability mitigation strategies.