MidnightBSD

Advisories for nghttp2

CVE-2015-8659 HIGH

The idle stream handling in nghttp2 before 1.6.0 allows attackers to have unspecified impact via unknown vectors, aka a heap-use-after-free bug.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
nghttp2 nghttp2 *
apple tvos *
apple mac_os_x *
apple watchos *
apple iphone_os *
CVE-2016-1544 LOW

nghttp2 before 1.7.1 allows remote attackers to cause a denial of service (memory exhaustion).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 1.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-400,

Products Affected

Vendor Product Version
fedoraproject fedora 22
nghttp2 nghttp2 *
fedoraproject fedora 23
CVE-2018-1000168 MEDIUM

nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-476,CWE-476,

Products Affected

Vendor Product Version
nghttp2 nghttp2 *
debian debian_linux 9.0
nodejs node.js *
CVE-2020-11080 MEDIUM

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
security-advisories@github.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-707,CWE-400,

Products Affected

Vendor Product Version
opensuse leap 15.1
debian debian_linux 9.0
fedoraproject fedora 31
oracle enterprise_communications_broker 3.2.0
nodejs node.js *
oracle banking_extensibility_workbench 14.3.0
oracle blockchain_platform *
debian debian_linux 10.0
nghttp2 nghttp2 *
oracle mysql *
fedoraproject fedora 33
oracle graalvm 20.1.0
oracle enterprise_communications_broker 3.1.0
oracle graalvm 19.3.2
oracle banking_extensibility_workbench 14.4.0
CVE-2023-35945

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the `GOAWAY` frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return [code path] is taken if connection is already marked for not sending more requests due to `GOAWAY` frame. The clean-up code is right after the return statement, causing memory leak. Denial of service through memory exhaustion. This vulnerability was patched in versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
nghttp2 nghttp2 *
envoyproxy envoy *
CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
golang http2 *
redhat jboss_enterprise_application_platform 6.0.0
f5 big-ip_carrier-grade_nat 17.1.0
redhat ceph_storage 5.0
redhat advanced_cluster_security 3.0
f5 nginx_ingress_controller *
redhat machine_deletion_remediation_operator -
redhat openshift_serverless -
netapp oncommand_insight -
cisco unified_contact_center_management_portal -
f5 big-ip_ddos_hybrid_defender *
f5 big-ip_ssl_orchestrator 17.1.0
redhat migration_toolkit_for_virtualization -
microsoft asp.net_core *
redhat network_observability_operator -
cisco crosswork_situation_manager -
f5 nginx_plus *
akka http_server *
ietf http 2.0
f5 big-ip_fraud_protection_service 17.1.0
redhat jboss_a-mq_streams -
f5 big-ip_advanced_firewall_manager *
golang go *
cisco unified_contact_center_enterprise -
cisco data_center_network_manager -
golang networking *
microsoft azure_kubernetes_service *
cisco crosswork_data_gateway 5.0
cisco unified_attendant_console_advanced -
debian debian_linux 10.0
redhat openshift -
redhat build_of_optaplanner 8.0
linkerd linkerd *
redhat enterprise_linux 9.0
f5 big-ip_link_controller 17.1.0
konghq kong_gateway *
f5 big-ip_advanced_firewall_manager 17.1.0
fedoraproject fedora 37
istio istio *
linkerd linkerd 2.14.1
redhat jboss_enterprise_application_platform 7.0.0
netty netty *
redhat integration_camel_k -
redhat advanced_cluster_security 4.0
f5 big-ip_analytics 17.1.0
redhat openshift_container_platform 4.0
redhat run_once_duration_override_operator -
redhat cost_management -
redhat quay 3.0.0
redhat openstack_platform 16.2
redhat node_maintenance_operator -
fedoraproject fedora 38
debian debian_linux 12.0
eclipse jetty *
redhat openshift_api_for_data_protection -
cisco business_process_automation *
f5 big-ip_policy_enforcement_manager 17.1.0
f5 big-ip_policy_enforcement_manager *
redhat jboss_core_services -
linkerd linkerd 2.13.0
envoyproxy envoy 1.27.0
f5 big-ip_application_acceleration_manager 17.1.0
f5 nginx_plus r29
cisco ultra_cloud_core_-_serving_gateway_function *
microsoft windows_server_2022 -
amazon opensearch_data_prepper *
redhat jboss_fuse 7.0.0
apache traffic_server *
apple swiftnio_http/2 *
redhat single_sign-on 7.0
cisco unified_contact_center_enterprise_-_live_data_server *
redhat openshift_developer_tools_and_services -
f5 big-ip_carrier-grade_nat *
f5 big-ip_access_policy_manager 17.1.0
redhat cert-manager_operator_for_red_hat_openshift -
cisco telepresence_video_communication_server *
cisco ios_xr *
f5 big-ip_application_security_manager 17.1.0
f5 big-ip_ssl_orchestrator *
cisco crosswork_data_gateway *
dena h2o *
f5 nginx *
microsoft windows_10_1809 *
redhat openshift_service_mesh 2.0
linecorp armeria *
microsoft windows_10_1607 *
f5 big-ip_domain_name_system *
apache apisix *
cisco ultra_cloud_core_-_policy_control_function 2024.01.0
microsoft cbl-mariner *
cisco secure_malware_analytics *
traefik traefik *
cisco crosswork_zero_touch_provisioning *
nghttp2 nghttp2 *
f5 big-ip_advanced_web_application_firewall *
envoyproxy envoy 1.26.4
redhat ansible_automation_platform 2.0
f5 big-ip_advanced_web_application_firewall 17.1.0
netapp astra_control_center -
f5 big-ip_global_traffic_manager 17.1.0
f5 big-ip_local_traffic_manager 17.1.0
redhat logging_subsystem_for_red_hat_openshift -
cisco secure_web_appliance_firmware *
cisco expressway *
cisco prime_access_registrar *
redhat advanced_cluster_management_for_kubernetes 2.0
redhat openshift_secondary_scheduler_operator -
cisco firepower_threat_defense *
cisco fog_director *
envoyproxy envoy 1.25.9
f5 big-ip_domain_name_system 17.1.0
redhat enterprise_linux 6.0
apache tomcat *
traefik traefik 3.0.0
f5 big-ip_application_acceleration_manager *
redhat openshift_distributed_tracing -
redhat process_automation 7.0
f5 big-ip_fraud_protection_service *
microsoft .net *
redhat 3scale_api_management_platform 2.0
redhat decision_manager 7.0
redhat integration_camel_for_spring_boot -
redhat jboss_data_grid 7.0.0
redhat openshift_gitops -
redhat enterprise_linux 8.0
cisco prime_infrastructure *
redhat web_terminal -
openresty openresty *
cisco prime_network_registrar *
cisco iot_field_network_director *
redhat migration_toolkit_for_containers -
grpc grpc *
redhat openstack_platform 16.1
redhat service_telemetry_framework 1.5
f5 big-ip_global_traffic_manager *
redhat openshift_data_science -
f5 big-ip_analytics *
f5 big-ip_websafe *
redhat node_healthcheck_operator -
microsoft windows_11_22h2 *
f5 big-ip_link_controller *
redhat certification_for_red_hat_enterprise_linux 8.0
cisco ultra_cloud_core_-_session_management_function *
redhat integration_service_registry -
apache solr *
cisco connected_mobile_experiences *
varnish_cache_project varnish_cache *
f5 nginx_plus r30
redhat satellite 6.0
redhat openstack_platform 17.1
f5 big-ip_application_security_manager *
microsoft windows_server_2016 -
f5 big-ip_access_policy_manager *
grpc grpc 1.57.0
redhat cryostat 2.0
f5 big-ip_next_service_proxy_for_kubernetes *
cisco secure_dynamic_attributes_connector *
redhat openshift_pipelines -
cisco prime_cable_provisioning *
kazu-yamamoto http2 *
redhat openshift_container_platform_assisted_installer -
redhat service_interconnect 1.0
jenkins jenkins *
cisco enterprise_chat_and_email -
f5 big-ip_local_traffic_manager *
projectcontour contour *
apache tomcat 11.0.0
redhat openshift_sandboxed_containers -
microsoft windows_10_22h2 *
microsoft windows_10_21h2 *
f5 big-ip_application_visibility_and_reporting 17.1.0
envoyproxy envoy 1.24.10
redhat build_of_quarkus -
redhat jboss_fuse 6.0.0
f5 big-ip_ddos_hybrid_defender 17.1.0
linkerd linkerd 2.14.0
redhat fence_agents_remediation_operator -
cisco ios_xe *
nodejs node.js *
f5 big-ip_webaccelerator 17.1.0
linkerd linkerd 2.13.1
cisco ultra_cloud_core_-_policy_control_function *
microsoft windows_server_2019 -
f5 big-ip_application_visibility_and_reporting *
redhat support_for_spring_boot -
f5 big-ip_websafe 17.1.0
redhat openshift_dev_spaces -
f5 big-ip_webaccelerator *
cisco unified_contact_center_domain_manager -
cisco nx-os *
caddyserver caddy *
facebook proxygen *
f5 big-ip_next 20.0.1
redhat jboss_a-mq 7
redhat certification_for_red_hat_enterprise_linux 9.0
debian debian_linux 11.0
redhat self_node_remediation_operator -
redhat migration_toolkit_for_applications 6.0
microsoft visual_studio_2022 *
microsoft windows_11_21h2 *
redhat openshift_virtualization 4
CVE-2024-28182

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

Products Affected

Vendor Product Version
fedoraproject fedora 38
nghttp2 nghttp2 *
fedoraproject fedora 39
fedoraproject fedora 40
debian debian_linux 10.0
debian debian_linux 11.0
CVE-2026-27135

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
nghttp2 nghttp2 *