Lucene search
K

22 matches found

Snyk
Snyk
added 2026/07/01 7:24 p.m.5 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of enforced limits in the HPackDecoder process. An attacker can exhaust system memory by sending oversized compressed header blocks before the HTTP/2 SETTINGS...

7.5CVSS6.1AI score0.00587EPSS
Exploits0References2
OSV
OSV
added 2026/07/01 6:16 p.m.3 views

DEBIAN-CVE-2026-54428

Allocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache HttpComponents Core 5.4.2 and earlier, 5.5-beta1 and earlier allows an remote attacker to cause a denial of service through memory exhaustion by sending oversized compressed header blocks before the HTTP/2...

7.5CVSS5.8AI score0.00587EPSS
Exploits0References1
NVD
NVD
added 2026/07/01 6:16 p.m.9 views

CVE-2026-54428

Allocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache HttpComponents Core 5.4.2 and earlier, 5.5-beta1 and earlier allows an remote attacker to cause a denial of service through memory exhaustion by sending oversized compressed header blocks before the HTTP/2...

7.5CVSS0.00587EPSS
Exploits0References2
OSV
OSV
added 2026/07/01 6:16 p.m.3 views

UBUNTU-CVE-2026-54428

Allocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache HttpComponents Core 5.4.2 and earlier, 5.5-beta1 and earlier allows an remote attacker to cause a denial of service through memory exhaustion by sending oversized compressed header blocks before the HTTP/2...

7.5CVSS5.8AI score0.00587EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/06/12 3:7 p.m.12 views

SwiftNIO NIOHTTP1: HTTPDecoder accepts unbounded HTTP/1 header blocks, enabling remote DoS

Summary The HTTPDecoder in NIOHTTP1 enforces no limit on the total size of an HTTP/1 message's header block or on the number of header fields per message. A remote peer can submit an arbitrary number of small, valid headers in a single request and have them all accumulated into the resulting...

5.8AI score0.00048EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/12 3:7 p.m.9 views

GHSA-RJ37-6J9X-74Q6 SwiftNIO NIOHTTP1: HTTPDecoder accepts unbounded HTTP/1 header blocks, enabling remote DoS

Summary The HTTPDecoder in NIOHTTP1 enforces no limit on the total size of an HTTP/1 message's header block or on the number of header fields per message. A remote peer can submit an arbitrary number of small, valid headers in a single request and have them all accumulated into the resulting...

8.7CVSS5.9AI score0.00048EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/06 9:14 a.m.12 views

EUVD-2026-34964

Protocol::HTTP2 versions through 1.12 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory the "HTTP/2 bomb". The headersdecode method materialises a full key+value copy per index...

5.7AI score0.00414EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/02 2:15 p.m.11 views

CVE-2026-49754 HTTP/2 CONTINUATION flood in Mint client via unbounded header-block accumulation

Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client HTTP/2 CONTINUATION flood. When Mint's HTTP/2 receive path observes a HEADERS frame without the ENDHEADERS flag, the unparsed...

8.2CVSS5.9AI score0.00384EPSS
Exploits0References4
CVE
CVE
added 2026/06/02 2:15 p.m.25 views

CVE-2026-49754

The CVE-2026-49754 entry describes a memory exhaustion vulnerability in elixir-mint Mint’s HTTP/2 receive path. When a HEADERS frame arrives without END_HEADERS, the unparsed header-block is queued and each subsequent CONTINUATION frame on that stream appends to the accumulator with no cap. There...

8.2CVSS5.9AI score0.00384EPSS
Exploits0References4
OSV
OSV
added 2026/05/13 6:6 p.m.1 views

CVE-2026-42582 Netty: HTTP/3 QPACK literal unbounded allocation

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoderdecodeHuffmanEncodedLiteral may execute new bytelength for a string literal before verifying that length byt...

7.5CVSS6AI score0.00437EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/05/13 12:0 a.m.14 views

Netty 安全漏洞

Netty is a non-blocking I/O client-server framework developed by the Netty community. It is primarily used for developing Java network applications, such as protocol servers and clients. Versions of Netty prior to 4.2.13.Final contained security vulnerabilities. These vulnerabilities stemmed from...

7.5CVSS5.9AI score0.00437EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/04/16 9:19 p.m.3 views

CVE-2026-35469 SpdyStream: DOS on CRI

spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count, the header count ...

8.7CVSS5.7AI score0.00656EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/16 9:19 p.m.29 views

CVE-2026-35469 SpdyStream: DOS on CRI

spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count, the header count ...

8.7CVSS0.00656EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/16 12:0 a.m.6 views

PT-2026-33367

Name of the Vulnerable Software and Affected Versions spdystream versions prior to 0.5.1 Description The SPDY/3 frame parser fails to validate attacker-controlled counts and lengths before allocating memory. This occurs in three allocation paths: the SETTINGS frame entry count, the header count i...

8.7CVSS5.8AI score0.00656EPSS
Exploits0
Positive Technologies
Positive Technologies
added 2026/01/07 12:0 a.m.5 views

PT-2026-1587

Name of the Vulnerable Software and Affected Versions Rankology SEO and Analytics Tool versions prior to 2.1 Description The Rankology SEO and Analytics Tool plugin for WordPress has an issue where data can be modified without proper authorization. This is due to a flawed capability check on the...

2.7CVSS6.7AI score0.0021EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/01/07 12:0 a.m.4 views

WordPress plugin Rankology SEO and Analytics Tool 授权问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin.... An authorization...

2.7CVSS6.6AI score0.0021EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2025/05/23 1:9 a.m.3 views

CVE-2022-24667

A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HPACK-encoded header block. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. There are a number of implementation errors in the parsing of...

7.5CVSS6.9AI score0.01119EPSS
Exploits0References1
Amazon
Amazon
added 2025/04/29 12:0 a.m.8 views

Medium: containerd

Issue Overview: Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB...

7.5CVSS6.8AI score0.01544EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2023/02/09 9:20 p.m.50 views

CVE-2022-2879

A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory,...

6.5CVSS7.4AI score0.01544EPSS
Exploits0References5
OSV
OSV
added 2022/10/14 12:0 a.m.22 views

CVE-2022-2879 Unbounded memory consumption when reading headers in archive/tar

Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB...

7.5CVSS6.9AI score0.01544EPSS
Exploits0References8
Rows per page
Query Builder