PT-2024-2624 · Nghttp2+10 · Nghttp2+10

Bartek Nowotarskis

·

Published

2024-04-03

·

Updated

2026-03-29

·

CVE-2024-28182

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions nghttp2 versions prior to 1.61.0
Description The nghttp2 library keeps reading an unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync, causing excessive CPU usage to decode the HPACK stream. This issue can be exploited by a remote attacker to cause a denial of service.
Recommendations For nghttp2 versions prior to 1.61.0, update to version 1.61.0 or later to mitigate the vulnerability by limiting the number of CONTINUATION frames accepted per stream. As a temporary workaround, consider restricting the use of HTTP/2 CONTINUATION frames until a patch is available.

Exploit

Fix

DoS

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

ALSA-2024:2778
ALSA-2024:2779
ALSA-2024:2780
ALSA-2024:2853
ALSA-2024:2910
ALSA-2024:3501
ALSA-2024:4252
ALT-PU-2024-5984
ALT-PU-2024-5988
ALT-PU-2024-6191
ALT-PU-2024-6196
AZL-38719
AZL-38728
AZL-38881
AZL-38995
AZL-39115
AZL-39148
AZL-39460
AZL-39520
AZL-42099
AZL-56113
BDU:2024-02691
CESA-2024_2778
CESA-2024_2780
CESA-2024_4252
CVE-2024-28182
DLA-3804-1
DLA-3898-1
GHSA-X6X3-GV8H-M57Q
INFSA-2024_2779
INFSA-2024_2853
INFSA-2024_2910
INFSA-2024_3501
INFSA-2024_4252
MGASA-2024-0135
OESA-2024-1389
OPENSUSE-SU-2024:13825-1
OPENSUSE-SU-2024_1167-1
RHSA-2024:2693
RHSA-2024:2778
RHSA-2024:2779
RHSA-2024:2780
RHSA-2024:2853
RHSA-2024:2910
RHSA-2024:2937
RHSA-2024:3501
RHSA-2024:3544
RHSA-2024:3665
RHSA-2024:3701
RHSA-2024:3763
RHSA-2024:3875
RHSA-2024:4252
RHSA-2024:4576
RHSA-2024:4721
RHSA-2024:4732
RHSA-2024:4824
RHSA-2024_2778
RHSA-2024_2779
RHSA-2024_2780
RHSA-2024_2853
RHSA-2024_2910
RHSA-2024_3501
RHSA-2024_4252
RLSA-2024:2778
RLSA-2024:2779
RLSA-2024:2780
RLSA-2024:2853
RLSA-2024:2910
RLSA-2024:3501
ROSA-SA-2024-2525
SUSE-SU-2024:1156-1
SUSE-SU-2024:1167-1
SUSE-SU-2024:1167-2
SUSE-SU-2024_1156-1
SUSE-SU-2024_1167-1
SUSE-SU-2025:20002-1
USN-6754-1
USN-6754-2

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Nghttp2