nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.
History

Fri, 22 Nov 2024 12:00:00 +0000

Type Values Removed Values Added
References

Fri, 27 Sep 2024 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Nghttp2
Nghttp2 nghttp2
CPEs cpe:2.3:a:nghttp2:nghttp2:*:*:*:*:*:*:*:*
Vendors & Products Nghttp2
Nghttp2 nghttp2
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-04-04T14:41:36.587Z

Updated: 2024-09-27T16:02:59.311Z

Reserved: 2024-03-06T17:35:00.857Z

Link: CVE-2024-28182

cve-icon Vulnrichment

Updated: 2024-09-27T16:02:59.311Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-04-04T15:15:38.427

Modified: 2024-11-21T09:05:58.537

Link: CVE-2024-28182

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-04-03T00:00:00Z

Links: CVE-2024-28182 - Bugzilla