PT-2023-3149 · Hyper+2 · Hyper+2

Qinyushun

·

Published

2023-04-11

·

Updated

2025-08-16

·

CVE-2023-26964

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions hyper version 0.13.7 h2 version 0.2.4
Description An issue in the H2 component of hyper occurs when processing HTTP2 RST STREAM frames, leading to stream stacking and high memory and CPU usage, which can result in a Denial of Service (DoS). This issue affects users when dealing with HTTP2 connections. If an attacker floods the network with pairs of HEADERS/RST STREAM frames, the pending accept queue can grow in memory usage, resulting in excessive memory use and potentially triggering Out Of Memory.
Recommendations For hyper version 0.13.7, consider updating to a version that includes the fix for the issue, which restricts remote reset stream count by default. For h2 version 0.2.4, consider updating to a version that includes the fix for the issue, which restricts remote reset stream count by default. As a temporary workaround, consider restricting the number of remote reset streams to prevent excessive memory use.

Exploit

Fix

DoS

Allocation of Resources Without Limits

Resource Exhaustion

Weakness Enumeration

CWE-770CWE-400

Related Identifiers

AZL-26291
AZL-26730
AZL-34823
AZL-35217
AZL-61174
BDU:2023-03248
CVE-2023-26964
GHSA-F8VR-R385-RH5R
OPENSUSE-SU-2024:0294-1
OPENSUSE-SU-2024:12859-1
OPENSUSE-SU-2024:12861-1
OPENSUSE-SU-2024:12862-1
OPENSUSE-SU-2024:12863-1
OPENSUSE-SU-2024:12864-1
OPENSUSE-SU-2024:12866-1
OPENSUSE-SU-2024:12960-1
OPENSUSE-SU-2024:12973-1
OPENSUSE-SU-2024:13106-1
RUSTSEC-2023-0034
SUSE-SU-2023:2603-1
SUSE-SU-2025:02809-1
SUSE-SU-2025:02810-1
SUSE-SU-2025:02811-1

Affected Products

Suse
H2
Hyper