CVE-2022-41717

MEDIUM

Go Server < - Memory Corruption

Title source: llm

Description

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

Exploits (1)

nomisec WORKING POC

by domdom82 · poc

https://github.com/domdom82/h2conn-exploit

View Code ZIP pw:eip

References (24)

[Patch, Vendor Advisory] https://go.dev/cl/455635

[Patch, Vendor Advisory] https://go.dev/cl/455717

[Patch, Third Party Advisory] https://go.dev/issue/56350

[Mailing List, Release Notes, Third Party Advisory] https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ

[Mailing List] https://lists.fedoraproject.org/archives/list/[email protected]/message/NQGNAXK3YBPMUP3J4TECIRDHFGW37522/

[Mailing List] https://lists.fedoraproject.org/archives/list/[email protected]/message/PUM4DIVOLJCBK5ZDP4LJOL24GXT3YSIR/

[Mailing List] https://lists.fedoraproject.org/archives/list/[email protected]/message/QBKBAZBIOXZV5QCFHZNSVXULR32XJCYD/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/

[Vendor Advisory] https://pkg.go.dev/vuln/GO-2022-1144

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20230120-0008/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/56B2FFESRYYP6IY2AZ3UWXLWKZ5IYZN4/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/CSVIS6MTMFVBA7JPMRAUNKUOYEVSJYSB/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/Q52IQI754YAE4XPR4QBRWPIVZWYGZ4FS/

... and 4 more

Scores

CVSS v3 5.3

EPSS 0.0033

EPSS Percentile 56.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Details

CWE

CWE-770

Status published

Products (5)

fedoraproject/fedora 37

fedoraproject/fedora 38

golang/go < 1.18.9

golang/http2 < 0.4.0

x/net 0 - 0.4.0 (2 CPE variants)Go

Published Dec 08, 2022

Tracked Since Feb 18, 2026