PT-2026-54843 · Apache · Httpcomponents Core
Henry Huang
+1
·
Published
2026-07-01
·
Updated
2026-07-01
·
CVE-2026-54428
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Apache HttpComponents Core versions prior to 5.4.3
Apache HttpComponents Core versions prior to 5.5-beta2
Description
An issue exists in the HTTP/2 HPACK decoder where resources are allocated without limits or throttling. A remote attacker can cause a denial of service through memory exhaustion by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement triggers the application of the configured header list size limit.
Recommendations
Update Apache HttpComponents Core to version 5.4.3 or later.
Update Apache HttpComponents Core to version 5.5-beta2 or later.
Exploit
Fix
DoS
Resource Exhaustion
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Httpcomponents Core