CVE-2024-28182 Reading unbounded number of HTTP/2 CONTINUATION frames to cause excessive CPU usage

2024-04-0414:41:36

CWE-770

GitHub_M

github.com

cve-2024-28182

http/2

continuation frames

excessive cpu usage

nghttp2

vulnerability

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

5.4

Confidence

High

SSVC

Exploitation

none

Automatable

yes

Technical Impact

partial

JSON

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:nghttp2:nghttp2:*:*:*:*:*:*:*:*"
    ],
    "vendor": "nghttp2",
    "product": "nghttp2",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "1.61.0",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]