Skip to main content

HttpComponents Core CVE-2026-54428

| EUVDEUVD-2026-41095 HIGH
Uncontrolled Resource Consumption (CWE-400)
7.5
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-reachable, unauthenticated attack during HTTP/2 handshake; availability-only impact via heap exhaustion, no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
CVSS changed
Jul 01, 2026 - 19:22 NVD
7.5 (HIGH)
Analysis Generated
Jul 01, 2026 - 16:16 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Memory exhaustion denial-of-service in Apache HttpComponents Core's HTTP/2 HPACK decoder allows remote attackers to crash Java services by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement is processed. The root cause is a timing gap in the connection handshake: the server's configured maximum header list size limit is not enforced until after the SETTINGS ACK exchange completes, leaving a window during which an attacker can flood the decoder with arbitrarily large compressed header data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Initiate HTTP/2 connection to target service
Delivery
Send oversized HPACK-compressed HEADERS frame before SETTINGS ACK
Exploit
HPackDecoder allocates unbounded memory
Execution
JVM heap exhausted
Impact
Service crashes or becomes unresponsive

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application uses the org.apache.httpcomponents.core5:httpcore5-h2 artifact at version 5.4.2 or earlier (or 5.5-beta1) AND exposes an HTTP/2 endpoint reachable by the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The real-world risk is moderate-to-high for any Java application that exposes an HTTP/2 endpoint using the affected httpcore5-h2 artifact, particularly services directly reachable over the internet. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targets a publicly accessible Java service - for example, a REST API or microservice - using the httpcore5-h2 library for HTTP/2 transport. The attacker opens an HTTP/2 connection and immediately sends a HEADERS frame containing a maximally compressed but extremely large set of header fields before the server's SETTINGS ACK is exchanged, bypassing the server's configured header list size limit. …
Remediation The primary remediation is to upgrade org.apache.httpcomponents.core5:httpcore5-h2 to a version that enforces the configured SETTINGS_MAX_HEADER_LIST_SIZE before the SETTINGS ACK completes. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Use dependency scanners (Maven, Gradle, SBOMs) to identify all Java applications using org.apache.httpcomponents.core5:httpcore5-h2 versions 5.4.2 or earlier, or 5.5-beta1 and earlier. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54428 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy