PT-2026-54843 · Apache · Httpcomponents Core

Henry Huang

+1

·

Published

2026-07-01

·

Updated

2026-07-01

·

CVE-2026-54428

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions Apache HttpComponents Core versions prior to 5.4.3 Apache HttpComponents Core versions prior to 5.5-beta2
Description An issue exists in the HTTP/2 HPACK decoder where resources are allocated without limits or throttling. A remote attacker can cause a denial of service through memory exhaustion by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement triggers the application of the configured header list size limit.
Recommendations Update Apache HttpComponents Core to version 5.4.3 or later. Update Apache HttpComponents Core to version 5.5-beta2 or later.

Exploit

Fix

DoS

Resource Exhaustion

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-54428

Affected Products

Httpcomponents Core