PT-2020-4061 · Nghttp2+9 · Nghttp2+9

Published

2020-01-24

·

Updated

2026-05-18

·

CVE-2020-11080

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions: nghttp2 versions prior to 1.41.0
Description: The issue is related to the handling of HTTP/2 SETTINGS frames in nghttp2, where an overly large frame payload can cause a denial of service. A malicious client can construct a SETTINGS frame with a large number of settings entries, causing the CPU to spike at 100%. This can be achieved by sending multiple SETTINGS frames with a length of 14,400 bytes, containing 2400 individual settings entries.
Recommendations: For versions prior to 1.41.0, update to nghttp2 version 1.41.0 to resolve the issue. As a temporary workaround, consider implementing the nghttp2 on frame recv callback callback to drop the connection if a SETTINGS frame with a large number of settings entries (e.g., > 32) is received.

Fix

DoS

Resource Exhaustion

Improper Neutralization

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-707

Related Identifiers

ALSA-2020:2755
ALSA-2020:2848
ALSA-2020:2852
ALT-PU-2020-1090
ALT-PU-2020-2217
ALT-PU-2020-2223
ALT-PU-2020-2489
ALT-PU-2020-2652
ALT-PU-2020-2926
ALT-PU-2020-3284
ALT-PU-2021-2380
ALT-PU-2021-3668
ALT-PU-2022-3073
BDU:2020-04461
BIT-NODE-2020-11080
BIT-NODE-MIN-2020-11080
CESA-2020_2755
CESA-2020_2848
CESA-2020_2852
CLEANSTART-2026-BD71263
CLEANSTART-2026-IS74202
CLEANSTART-2026-JR35772
CLEANSTART-2026-JY06700
CLEANSTART-2026-KN34553
CLEANSTART-2026-KZ45320
CLEANSTART-2026-LJ44720
CLEANSTART-2026-LN12820
CLEANSTART-2026-TX00223
CLEANSTART-2026-WI75198
CVE-2020-11080
DLA-2786-1
DLA-3621-1
DSA-4696-1
GHSA-Q5WR-XFW9-Q7XR
MGASA-2020-0256
OPENSUSE-SU-2020:0802-1
OPENSUSE-SU-2020_0802-1
OPENSUSE-SU-2021:0468-1
OPENSUSE-SU-2021_0468-1
OPENSUSE-SU-2024:11091-1
OPENSUSE-SU-2024:11096-1
RHSA-2020:2523
RHSA-2020:2524
RHSA-2020:2644
RHSA-2020:2755
RHSA-2020:2784
RHSA-2020:2823
RHSA-2020:2847
RHSA-2020:2848
RHSA-2020:2849
RHSA-2020:2850
RHSA-2020:2852
RHSA-2020:2895
RHSA-2020:3042
RHSA-2020:3084
RHSA-2020_2755
RHSA-2020_2848
RHSA-2020_2852
RLSA-2020:2755
RLSA-2020:2848
RLSA-2020:2852
SUSE-SU-2020:1568-1
SUSE-SU-2020:1575-1
SUSE-SU-2020:1576-1
SUSE-SU-2020:1606-1
SUSE-SU-2020:2800-1
SUSE-SU-2020_1568-1
SUSE-SU-2020_1575-1
SUSE-SU-2020_1576-1
SUSE-SU-2020_1606-1
SUSE-SU-2020_2800-1
SUSE-SU-2021:0930-1
SUSE-SU-2021:0931-1
SUSE-SU-2021:0932-1
SUSE-SU-2021_0930-1
SUSE-SU-2021_0931-1
USN-6142-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Red Hat
Rocky Linux
Suse
Ubuntu
Nghttp2