CVE-2021-36154

HIGH

gRPC Swift <= 1.1.1 - Denial of Service via HTTP/2 Frame Message Flood

Title source: llm

Description

HTTP2ToRawGRPCServerCodec in gRPC Swift 1.1.1 and earlier allows remote attackers to deny service via the delivery of many small messages within a single HTTP/2 frame, leading to Uncontrolled Recursion and stack consumption.

References (3)

Core 3

Core References

Release Notes, Third Party Advisory x_refsource_misc

https://github.com/grpc/grpc-swift/releases

Mailing List, Third Party Advisory x_refsource_misc

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35274

Third Party Advisory x_refsource_misc

https://github.com/grpc/grpc-swift/security/advisories/GHSA-4rhq-vq24-88gw

Scores

CVSS v3 7.5

EPSS 0.0208

EPSS Percentile 79.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-674

Status published

Products (4)

linuxfoundation/grpc_swift 1.0.0

linuxfoundation/grpc_swift 1.1.0

linuxfoundation/grpc_swift 1.1.1

SwiftURL/github.com/grpc/grpc-swift 0 - 1.2.0SwiftURL

Published Jul 09, 2021

Tracked Since Feb 18, 2026