CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Severity: moderate

Affected versions:

- Apache HTTP Server 2.4.17 through 2.4.58

Description:

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.

Credit:

Bartek Nowotarski (https://nowotarski.info/)  (finder)

References:

https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-27316

Timeline:

2024-02-22: Reported to security team


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux