PT-2023-3149 · Hyper+2 · Hyper+2

Qinyushun

·

Publicado

2023-04-11

·

Atualizado

2025-08-16

·

CVE-2023-26964

CVSS v2.0

7.8

Alta

VetorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions hyper version 0.13.7 h2 version 0.2.4
Description An issue in the H2 component of hyper occurs when processing HTTP2 RST STREAM frames, leading to stream stacking and high memory and CPU usage, which can result in a Denial of Service (DoS). This issue affects users when dealing with HTTP2 connections. If an attacker floods the network with pairs of HEADERS/RST STREAM frames, the pending accept queue can grow in memory usage, resulting in excessive memory use and potentially triggering Out Of Memory.
Recommendations For hyper version 0.13.7, consider updating to a version that includes the fix for the issue, which restricts remote reset stream count by default. For h2 version 0.2.4, consider updating to a version that includes the fix for the issue, which restricts remote reset stream count by default. As a temporary workaround, consider restricting the number of remote reset streams to prevent excessive memory use.

Exploit

Correção

DoS

Allocation of Resources Without Limits

Resource Exhaustion

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-770CWE-400

Identificadores relacionados

AZL-26291
AZL-26730
AZL-34823
AZL-35217
AZL-61174
BDU:2023-03248
CVE-2023-26964
GHSA-F8VR-R385-RH5R
OPENSUSE-SU-2024:0294-1
OPENSUSE-SU-2024:12859-1
OPENSUSE-SU-2024:12861-1
OPENSUSE-SU-2024:12862-1
OPENSUSE-SU-2024:12863-1
OPENSUSE-SU-2024:12864-1
OPENSUSE-SU-2024:12866-1
OPENSUSE-SU-2024:12960-1
OPENSUSE-SU-2024:12973-1
OPENSUSE-SU-2024:13106-1
RUSTSEC-2023-0034
SUSE-SU-2023:2603-1
SUSE-SU-2025:02809-1
SUSE-SU-2025:02810-1
SUSE-SU-2025:02811-1

Produtos afetados

Suse
H2
Hyper