CVE-2024-28182

MEDIUM

Nghttp2 < 1.61.0 - Resource Allocation Without Limits

Title source: rule

Description

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.

Exploits (1)

github WORKING POC 15 stars

by lockness-Ko · gopoc

https://github.com/lockness-Ko/CVE-2024-27316

View Code ZIP pw:eip

References (10)

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2024/04/03/16

[Patch] https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0

View Patch ZIP pw:eip

[Patch] https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9

[Vendor Advisory] https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q

[Mailing List] https://lists.debian.org/debian-lts-announce/2024/04/msg00026.html

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/AGOME6ZXJG7664IPQNVE3DL67E3YP3HY/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/J6ZMXUGB66VAXDW5J6QSTHM5ET25FGSA/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/PXJO2EASHM2OQQLGVDY5ZSO7UVDVHTDK/

[Mailing List] https://lists.debian.org/debian-lts-announce/2024/09/msg00041.html

[Third Party Advisory, US Government Resource] https://www.kb.cert.org/vuls/id/421644

Scores

CVSS v3 5.3

EPSS 0.2497

EPSS Percentile 96.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Details

CWE

CWE-770

Status published

Products (6)

debian/debian_linux 10.0

debian/debian_linux 11.0

fedoraproject/fedora 38

fedoraproject/fedora 39

fedoraproject/fedora 40

nghttp2/nghttp2 < 1.61.0

Published Apr 04, 2024

Tracked Since Feb 18, 2026