Skip to main content

CVE-2026-35469

| EUVDEUVD-2026-23298 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-16 https://github.com/moby/spdystream GHSA-pc3f-x583-g7j2
8.7
CVSS 4.0 · Vendor: https://github.com/moby/spdystream
Share

Severity by source

Vendor (https://github.com/moby/spdystream) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
6.5 HIGH
qualitative

Primary rating from Vendor (https://github.com/moby/spdystream).

CVSS VectorVendor: https://github.com/moby/spdystream

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Apr 29, 2026 - 21:04 nvd
Patch available
Patch available
Apr 16, 2026 - 22:01 EUVD
EUVD ID Assigned
Apr 16, 2026 - 21:15 euvd
EUVD-2026-23298
CVE Published
Apr 16, 2026 - 20:44 nvd
HIGH 8.7

DescriptionCVE.org

The SPDY/3 frame parser in spdystream does not validate attacker-controlled counts and lengths before allocating memory. A remote peer that can send SPDY frames to a service using spdystream can cause the process to allocate gigabytes of memory with a small number of malformed control frames, leading to an out-of-memory crash.

Three allocation paths in the receive side are affected:

  1. SETTINGS entry count -- The SETTINGS frame reader reads a 32-bit

numSettings from the payload and allocates a slice of that size without checking it against the declared frame length. An attacker can set numSettings to a value far exceeding the actual payload, triggering a large allocation before any setting data is read.

  1. Header count -- parseHeaderValueBlock reads a 32-bit

numHeaders from the decompressed header block and allocates an http.Header map of that size with no upper bound.

  1. Header field size -- Individual header name and value lengths are

read as 32-bit integers and used directly as allocation sizes with no validation.

Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into attacker-controlled bytes that the parser interprets as 32-bit counts and lengths. A single crafted frame is enough to exhaust process memory.

Impact

Any program that accepts SPDY connections using spdystream -- directly or through a dependent library -- is affected. A remote peer that can send SPDY frames to the service can crash the process with a single crafted SPDY control frame, causing denial of service.

Affected versions

github.com/moby/spdystream <= v0.5.0

Fix

v0.5.1 addresses the receive-side allocation bugs and adds related hardening:

Core fixes:

  • SETTINGS entry-count validation -- The SETTINGS frame reader now

checks that numSettings is consistent with the declared frame length (numSettings <= (length-4)/8) before allocating.

  • Header count limit -- parseHeaderValueBlock enforces a maximum

number of headers per frame (default: 1000).

  • Header field size limit -- Individual header name and value

lengths are checked against a per-field size limit (default: 1 MiB) before allocation.

  • Connection closure on protocol error -- The connection read loop

now closes the underlying net.Conn when it encounters an InvalidControlFrame error, preventing further exploitation on the same connection.

Additional hardening:

  • Write-side bounds checks -- All frame write methods now verify

that payloads fit within the 24-bit length field, preventing the library from producing invalid frames.

Configurable limits:

  • Callers can adjust the defaults using NewConnectionWithOptions or

the lower-level spdy.NewFramerWithOptions with functional options: WithMaxControlFramePayloadSize, WithMaxHeaderFieldSize, and WithMaxHeaderCount.

Analysis

The SPDY/3 frame parser in spdystream does not validate attacker-controlled counts and lengths before allocating memory. A remote peer that can send SPDY frames to a service using spdystream can cause the process to allocate gigabytes of memory with a small number of malformed control frames, leading to an out-of-memory crash.

Three allocation paths in the receive side are affected:

  1. SETTINGS entry count -- The SETTINGS frame reader reads a 32-bit

numSettings from the payload and allocates a slice of that size without checking it against the declared frame length. An attacker can set numSettings to a value far exceeding the actual payload, triggering a large allocation before any setting data is read.

  1. Header count -- parseHeaderValueBlock reads a 32-bit

numHeaders from the decompressed header block and allocates an http.Header map of that size with no upper bound.

  1. Header field size -- Individual header name and value lengths are

read as 32-bit integers and used directly as allocation sizes with no validation.

Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into attacker-controlled bytes that the parser interprets as 32-bit counts and lengths. A single crafted frame is enough to exhaust process memory.

Impact

Any program that accepts SPDY connections using spdystream -- directly or through a dependent library -- is affected. A remote peer that can send SPDY frames to the service can crash the process with a single crafted SPDY control frame, causing denial of service.

Affected versions

github.com/moby/spdystream <= v0.5.0

Fix

v0.5.1 addresses the receive-side allocation bugs and adds related hardening:

Core fixes:

  • SETTINGS entry-count validation -- The SETTINGS frame reader now

checks that numSettings is consistent with the declared frame length (numSettings <= (length-4)/8) before allocating.

  • Header count limit -- parseHeaderValueBlock enforces a maximum

number of headers per frame (default: 1000).

  • Header field size limit -- Individual header name and value

lengths are checked against a per-field size limit (default: 1 MiB) before allocation.

  • Connection closure on protocol error -- The connection read loop

now closes the underlying net.Conn when it encounters an InvalidControlFrame error, preventing further exploitation on the same connection.

Additional hardening:

  • Write-side bounds checks -- All frame write methods now verify

that payloads fit within the 24-bit length field, preventing the library from producing invalid frames.

Configurable limits:

  • Callers can adjust the defaults using NewConnectionWithOptions or

the lower-level spdy.NewFramerWithOptions with functional options: WithMaxControlFramePayloadSize, WithMaxHeaderFieldSize, and WithMaxHeaderCount.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed

Share

CVE-2026-35469 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy