oss-sec mailing list archives

CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames

From: Eric Covener <covener () apache org>
Date: Thu, 04 Apr 2024 13:56:54 +0000

Severity: moderate

Affected versions:

- Apache HTTP Server 2.4.17 through 2.4.58

Description:

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative 
HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.

Credit:

Bartek Nowotarski (https://nowotarski.info/)  (finder)

References:

https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-27316

Timeline:

2024-02-22: Reported to security team

Current thread:

CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames Eric Covener (Apr 04)