CVE-2022-41717

moderate-risk

Published 2022-12-08

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

Do I need to act?

0.33% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (4)

Http2

Fedora

Affected Vendors

Fedoraproject Golang

References (47)

Patch https://go.dev/cl/455635

Patch https://go.dev/cl/455717

Patch https://go.dev/issue/56350

Mailing List https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...

Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...

Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...

and 27 more references

/ 100

moderate-risk

Severity 21/34 · High

Exploitability 1/34 · Minimal

Exposure 10/34 · Low