CVE-2024-27316

Name of the Vulnerable Software and Affected Versions nghttp2 versions prior to the fixed version Apache HTTP Server versions prior to the fixed version Apple Software (affected versions not specified) NetApp ONTAP (affected versions not specified) Fedoraproject Fedora (affected versions not specified)

Description The issue is related to the handling of HTTP/2 incoming headers, where exceeding the limit leads to temporary buffering in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this results in memory exhaustion. The vulnerability is also associated with uncontrolled resource consumption due to incorrect determination of the end of a header when processing CONTINUATION frames. Exploitation of the vulnerability may allow a remote attacker to cause a denial of service by sending specially crafted HTTP requests.

Recommendations For nghttp2, update to a version that includes a fix for this issue. For Apache HTTP Server, update to a version that includes a fix for this issue. For Apple Software, there is no information about a newer version that contains a fix for this vulnerability. For NetApp ONTAP, there is no information about a newer version that contains a fix for this vulnerability. For Fedoraproject Fedora, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the HTTP/2 protocol until a patch is available. Avoid using the CONTINUATION frames in the affected API endpoint until the issue is resolved.