CVE-2016-9589

HIGH

Red Hat JBoss WildFly Application Server < 10.1.0 - Denial of Service via HTTP Header Cache Exhaustion

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-9589. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary The repository contains source code files from the Undertow project but lacks any exploit code or technical analysis related to CVE-2016-9589. The README is a generic description of Undertow without vulnerability details.

Description

Undertow in Red Hat wildfly before version 11.0.0.Beta1 is vulnerable to a resource exhaustion resulting in a denial of service. Undertow keeps a cache of seen HTTP headers in persistent connections. It was found that this cache can easily exploited to fill memory with garbage, up to "max-headers" (default 200) * "max-header-size" (default 1MB) per active TCP connection.

Exploits (2)

nomisec STUB
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2016-9589-undertow-vulnerable

The repository contains source code files from the Undertow project but lacks any exploit code or technical analysis related to CVE-2016-9589. The README is a generic description of Undertow without vulnerability details.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Undertow (version not specified)
No auth needed
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec STUB
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2016-9589-undertow-vulnerable

The repository contains source code files from the Undertow project but lacks any exploit code or technical analysis related to CVE-2016-9589. The README is a generic description of Undertow without vulnerability details.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Undertow (version not specified)
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (13)

Core 13
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0831.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0876.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0834.html
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1404782
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:3458
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0832.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/97060
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:3455
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:3456
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:0873
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:3454
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0830.html
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:0872

Scores

CVSS v3 7.5
EPSS 0.0219
EPSS Percentile 84.8%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-400
Status published
Products (3)
org.wildfly/wildfly-undertow 0 - 11.0.0.Beta1Maven
redhat/jboss_wildfly_application_server 11.0.0 alpha1
redhat/jboss_wildfly_application_server < 10.1.0
Published Mar 12, 2018
Tracked Since Feb 18, 2026