When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue.
History

Fri, 22 Nov 2024 12:00:00 +0000


Tue, 15 Oct 2024 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770

Mon, 14 Oct 2024 09:30:00 +0000


Mon, 14 Oct 2024 09:15:00 +0000

Type Values Removed Values Added
Description When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue. When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue.
Weaknesses CWE-404
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 09 Oct 2024 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Debian
Debian debian Linux
Weaknesses CWE-770
CPEs cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
Vendors & Products Debian
Debian debian Linux

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2023-10-23T06:50:23.991Z

Updated: 2024-10-14T09:01:44.836Z

Reserved: 2023-10-13T09:44:15.791Z

Link: CVE-2023-45802

cve-icon Vulnrichment

Updated: 2024-08-02T20:29:32.370Z

cve-icon NVD

Status : Modified

Published: 2023-10-23T07:15:11.330

Modified: 2024-11-21T08:27:23.030

Link: CVE-2023-45802

cve-icon Redhat

Severity : Moderate

Publid Date: 2023-10-19T00:00:00Z

Links: CVE-2023-45802 - Bugzilla