Description
A HTTP/2 implementation built using any version of the Python priority library prior to version 1.2.0 could be targeted by a malicious peer by having that peer assign priority information for every possible HTTP/2 stream ID. The priority tree would happily continue to store the priority information for each stream, and would therefore allocate unbounded amounts of memory. Attempting to actually use a tree like this would also cause extremely high CPU usage to maintain the tree.
References (2)
Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/92311
Mitigation, Vendor Advisory x_refsource_confirm
https://python-hyper.org/priority/en/latest/security/CVE-2016-6580.html
Scores
CVSS v3
7.5
EPSS
0.0048
EPSS Percentile
65.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-399
Status
published
Products (4)
pypi/priority
0 - 1.2.0PyPI
python/python_priority_library
1.0.0
python/python_priority_library
1.1.0
python/python_priority_library
1.1.1
Published
Jan 10, 2017
Tracked Since
Feb 18, 2026