CVE-2022-41717

MEDIUM

Go Server < - Memory Corruption

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-41717. PoCs published by domdom82.

AI-analyzed exploit summary This Go-based exploit targets CVE-2022-41717 by flooding an HTTP/2 server with large header names to trigger a denial-of-service (DoS) condition. It establishes multiple concurrent connections, each sending requests with oversized headers to exhaust server resources.

Description

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

Exploits (1)

nomisec WORKING POC

by domdom82 · poc

https://github.com/domdom82/h2conn-exploit

View Code ZIP pw:eip

This Go-based exploit targets CVE-2022-41717 by flooding an HTTP/2 server with large header names to trigger a denial-of-service (DoS) condition. It establishes multiple concurrent connections, each sending requests with oversized headers to exhaust server resources.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: HTTP/2 servers (e.g., Apache Traffic Server, other vulnerable implementations)

No auth needed

Prerequisites: Network access to the target HTTP/2 server · TLS/HTTP/2 support on the target

MITRE ATT&CK

T1499 - Endpoint Denial of Service T1498 - Network Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (24)

Core 24

Core References

Patch, Vendor Advisory

https://go.dev/cl/455635

Patch, Vendor Advisory

https://go.dev/cl/455717

Patch, Third Party Advisory

https://go.dev/issue/56350

Mailing List, Release Notes, Third Party Advisory

https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ

Mailing List

https://lists.fedoraproject.org/archives/list/[email protected]/message/NQGNAXK3YBPMUP3J4TECIRDHFGW37522/

Mailing List

https://lists.fedoraproject.org/archives/list/[email protected]/message/PUM4DIVOLJCBK5ZDP4LJOL24GXT3YSIR/

Mailing List

https://lists.fedoraproject.org/archives/list/[email protected]/message/QBKBAZBIOXZV5QCFHZNSVXULR32XJCYD/

Vendor Advisory

https://pkg.go.dev/vuln/GO-2022-1144

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/

Vendor Advisory

https://security.netapp.com/advisory/ntap-20230120-0008/

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/56B2FFESRYYP6IY2AZ3UWXLWKZ5IYZN4/

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/CSVIS6MTMFVBA7JPMRAUNKUOYEVSJYSB/

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/Q52IQI754YAE4XPR4QBRWPIVZWYGZ4FS/

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/WPEIZ7AMEJCZXU3FEJZMVRNHQZXX5P3I/

Third Party Advisory

https://security.gentoo.org/glsa/202311-09

Scores

CVSS v3 5.3

EPSS 0.0033

EPSS Percentile 56.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Details

CWE

CWE-770

Status published

Products (5)

fedoraproject/fedora 37

fedoraproject/fedora 38

golang/go < 1.18.9

golang/http2 < 0.4.0

x/net 0 - 0.4.0 (2 CPE variants)Go

Published Dec 08, 2022

Tracked Since Feb 18, 2026