CVE-2024-28182

MEDIUM

Nghttp2 < 1.61.0 - Resource Allocation Without Limits

Title source: rule

Description

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.

Exploits (1)

github WORKING POC 15 stars
by lockness-Ko · gopoc
https://github.com/lockness-Ko/CVE-2024-27316

References (10)

Scores

CVSS v3 5.3
EPSS 0.2497
EPSS Percentile 96.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Classification

CWE
CWE-770
Status published

Affected Products (6)

nghttp2/nghttp2 < 1.61.0
debian/debian_linux
debian/debian_linux
fedoraproject/fedora
fedoraproject/fedora
fedoraproject/fedora

Timeline

Published Apr 04, 2024
Tracked Since Feb 18, 2026