Severity by source
Network-reachable, no authentication or user interaction needed, pure availability impact via memory exhaustion, no confidentiality or integrity effects.
Lifecycle Timeline
2Description PRE-NVD
Articles & Coverage 1
AnalysisAI
Memory exhaustion denial-of-service affects HTTP/2 server implementations that fail to cap buffered response data under stalled flow-control conditions. A remote unauthenticated attacker opens many simultaneous HTTP/2 streams while advertising SETTINGS_INITIAL_WINDOW_SIZE = 0 or withholding WINDOW_UPDATE frames, forcing the server to accumulate unbounded in-memory response buffers it cannot transmit. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The vulnerability is exploitable against any HTTP/2 server implementation that does not enforce an upper bound on per-stream or per-connection response buffer memory. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate-to-high for any organization running an affected HTTP/2 server implementation exposed to the internet. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a standard internet connection sends a SETTINGS frame advertising SETTINGS_INITIAL_WINDOW_SIZE = 0 immediately after the HTTP/2 connection preface, then opens the server's maximum allowed number of concurrent streams and requests multiple large static resources (e.g., video files, large downloads). The server generates and buffers complete response bodies for every stream but cannot transmit a single byte, causing heap memory to grow proportional to (number of streams × average resource size). … |
| Remediation | The primary remediation is to apply vendor-supplied patches for the specific HTTP/2 server implementation in use; consult the CERT VU#885548 vendor table at https://kb.cert.org/vuls/id/885548 for individual CVE assignments and fix versions, and the F5-specific advisory at https://my.f5.com/manage/s/article/K000162231 for F5 products. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all HTTP/2 server implementations in production (web servers, load balancers, API gateways) and assess which systems accept external untrusted traffic. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote
Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Use-after-free vulnerability in the serializeToStream implementation in the XMLSerializer component in Mozilla Firefox b
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird befo
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allow remo
The Firefox sandbox in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and b
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today