CVE-2019-9518

HIGH

HTTP/2 - DoS

Title source: llm

Description

Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.

References (27)

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2019/Aug/16

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2925

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2939

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2955

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:3892

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:4352

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0727

[Third Party Advisory] https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

View Writeup ZIP pw:eip

[Third Party Advisory, US Government Resource] https://kb.cert.org/vuls/id/605641/

[Third Party Advisory] https://kc.mcafee.com/corporate/index?page=content&id=SB10296

[Mailing List] https://lists.apache.org/thread.html/091b518265bce56a16af87b77c8cfacda902a02079e866f9fdf13b61%40%3Cusers.trafficserver.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/2653c56545573b528f3f6352a29eccaf498bd6fb2a6a59568d81a61d%40%3Cannounce.trafficserver.apache.org%3E

[Mailing List, Third Party Advisory] https://seclists.org/bugtraq/2019/Aug/24

[Mailing List, Third Party Advisory] https://seclists.org/bugtraq/2019/Sep/18

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20190823-0005/

[Third Party Advisory] https://support.f5.com/csp/article/K46011592

[Vendor Advisory] https://support.f5.com/csp/article/K46011592?utm_source=f5support&amp%3Butm_medium=RSS

[Third Party Advisory] https://www.debian.org/security/2019/dsa-4520

... and 7 more

Scores

CVSS v3 7.5

EPSS 0.0367

EPSS Percentile 87.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-770 CWE-400

Status published

Affected Products (25)

apple/swiftnio < 1.4.0

apache/traffic_server < 6.2.3

canonical/ubuntu_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

debian/debian_linux

debian/debian_linux

synology/skynas

synology/diskstation_manager

synology/vs960hd_firmware

fedoraproject/fedora

fedoraproject/fedora

opensuse/leap

opensuse/leap

redhat/jboss_core_services

... and 10 more

Timeline

Published Aug 13, 2019

Tracked Since Feb 18, 2026