5 matches found
CVE-2023-44487
CVE-2023-44487 – HTTP/2 Rapid Reset DoS Root cause: HTTP/2 stream resets can cause servers to continue processing, leading to unbounded resource consumption and potential DoS when clients rapidly cancel streams. What’s affected: Various HTTP/2 implementations and deployments, including servers, p...
CVE-2023-39325
CVE-2023-39325 describes a DoS in HTTP/2 handling where a malicious client rapidly creates and resets requests, potentially exhausting server resources. The fix tightens per-connection concurrency handling: servers bound the number of executing handler goroutines to the stream-concurrency limit (...
CVE-2022-41717
CVE-2022-41717 affects Go HTTP/2 servers by allowing an attacker to trigger excessive memory growth via oversized header keys. The vulnerability stems from the HTTP/2 header key cache, which can allocate about 64 MiB per open connection when handling large keys. Several connected advisories confi...
CVE-2022-41723
CVE-2022-41723 describes a denial-of-service in the HPACK decoder triggered by a malicious HTTP/2 stream, causing excessive CPU use. Public documents list affected ecosystems across Go HTTP/2/x/net implementations and various distributions (e.g., Red Hat OpenStack platforms, Astra Linux, CBLMarin...
CVE-2026-33814
CVE-2026-33814 describes an infinite loop in HTTP/2 transport when a SETTINGS_MAX_FRAME_SIZE value of 0 is processed in net/http/internal/http2 (golang.org/x/net). Affected component is the HTTP/2 transport; root cause is improper handling of SETTINGS frames causing repeated CONTINUATION frames, ...