CVE-2024-28182

moderate-risk
Published 2024-04-04

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.

Do I need to act?

!
25.0% chance of exploitation in next 30 days
EPSS score — higher than 75% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

Affected Products (6)

Affected Vendors

Debian Fedoraproject Nghttp2

References (18)

Mailing List http://www.openwall.com/lists/oss-security/2024/04/03/16
Patch https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14...
Patch https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315a...
Vendor Advisory https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q
Mailing List https://lists.debian.org/debian-lts-announce/2024/04/msg00026.html
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...
Mailing List http://www.openwall.com/lists/oss-security/2024/04/03/16
Patch https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14...
Patch https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315a...
Vendor Advisory https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q
Mailing List https://lists.debian.org/debian-lts-announce/2024/04/msg00026.html
Mailing List https://lists.debian.org/debian-lts-announce/2024/09/msg00041.html
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...
https://www.kb.cert.org/vuls/id/421644
49
/ 100
moderate-risk
Severity 21/34 · High
Exploitability 15/34 · Moderate
Exposure 13/34 · Low