CVE-2024-28182

EUVD-2024-25307
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync.  This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 96%
Affected Products (NVD)
VendorProductVersion
nghttp2nghttp2
𝑥
< 1.61.0
debiandebian_linux
10.0
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
nghttp2nghttp2
𝑥
< 1.61.0
ADP
Debian logo
Debian Releases
Debian Product
Codename
nghttp2
bookworm
1.52.0-1+deb12u2
fixed
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
1.43.0-1+deb11u2
fixed
forky
1.64.0-1.1
fixed
sid
1.64.0-1.1
fixed
trixie
1.64.0-1.1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
nghttp2
bionic
Fixed 1.30.0-1ubuntu1+esm2
released
focal
Fixed 1.40.0-1ubuntu0.3
released
jammy
Fixed 1.43.0-1ubuntu0.2
released
mantic
Fixed 1.55.1-1ubuntu0.2
released
noble
Fixed 1.59.0-1ubuntu0.1
released
xenial
Fixed 1.7.1-1ubuntu0.1~esm2
released
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libnghttp2-14
suse enterprise desktop 15 SP5
1.40.0-150200.17.1
fixed
suse enterprise desktop 15 SP6
1.40.0-150600.23.2
fixed
suse enterprise desktop 15 SP7
1.64.0-150700.1.5
fixed
suse enterprise sap 12 SP5
1.39.2-3.18.1
fixed
suse enterprise sap 15 SP2
1.40.0-150200.17.1
fixed
suse enterprise sap 15 SP3
1.40.0-150200.17.1
fixed
suse enterprise sap 15 SP4
1.40.0-150200.17.1
fixed
suse enterprise sap 15 SP5
1.40.0-150200.17.1
fixed
suse enterprise sap 15 SP6
1.40.0-150600.23.2
fixed
suse enterprise sap 15 SP7
1.64.0-150700.1.5
fixed
suse enterprise server 12 SP5
1.39.2-3.18.1
fixed
suse enterprise server 15 SP2
1.40.0-150200.17.1
fixed
suse enterprise server 15 SP3
1.40.0-150200.17.1
fixed
suse enterprise server 15 SP4
1.40.0-150200.17.1
fixed
suse enterprise server 15 SP5
1.40.0-150200.17.1
fixed
suse enterprise server 15 SP6
1.40.0-150600.23.2
fixed
suse enterprise server 15 SP7
1.64.0-150700.1.5
fixed
libnghttp2-14-32bit
suse enterprise desktop 15 SP5
1.40.0-150200.17.1
fixed
suse enterprise desktop 15 SP6
1.40.0-150600.23.2
fixed
suse enterprise desktop 15 SP7
1.64.0-150700.1.5
fixed
suse enterprise sap 12 SP5
1.39.2-3.18.1
fixed
suse enterprise sap 15 SP2
1.40.0-150200.17.1
fixed
suse enterprise sap 15 SP3
1.40.0-150200.17.1
fixed
suse enterprise sap 15 SP4
1.40.0-150200.17.1
fixed
suse enterprise sap 15 SP5
1.40.0-150200.17.1
fixed
suse enterprise sap 15 SP6
1.40.0-150600.23.2
fixed
suse enterprise sap 15 SP7
1.64.0-150700.1.5
fixed
suse enterprise server 12 SP5
1.39.2-3.18.1
fixed
suse enterprise server 15 SP2
1.40.0-150200.17.1
fixed
suse enterprise server 15 SP3
1.40.0-150200.17.1
fixed
suse enterprise server 15 SP4
1.40.0-150200.17.1
fixed
suse enterprise server 15 SP5
1.40.0-150200.17.1
fixed
suse enterprise server 15 SP6
1.40.0-150600.23.2
fixed
suse enterprise server 15 SP7
1.64.0-150700.1.5
fixed
libnghttp2-devel
suse enterprise desktop 15 SP5
1.40.0-150200.17.1
fixed
suse enterprise desktop 15 SP6
1.40.0-150600.23.2
fixed
suse enterprise desktop 15 SP7
1.64.0-150700.1.5
fixed
suse enterprise sap 15 SP2
1.40.0-150200.17.1
fixed
suse enterprise sap 15 SP3
1.40.0-150200.17.1
fixed
suse enterprise sap 15 SP4
1.40.0-150200.17.1
fixed
suse enterprise sap 15 SP5
1.40.0-150200.17.1
fixed
suse enterprise sap 15 SP6
1.40.0-150600.23.2
fixed
suse enterprise sap 15 SP7
1.64.0-150700.1.5
fixed
suse enterprise server 15 SP2
1.40.0-150200.17.1
fixed
suse enterprise server 15 SP3
1.40.0-150200.17.1
fixed
suse enterprise server 15 SP4
1.40.0-150200.17.1
fixed
suse enterprise server 15 SP5
1.40.0-150200.17.1
fixed
suse enterprise server 15 SP6
1.40.0-150600.23.2
fixed
suse enterprise server 15 SP7
1.64.0-150700.1.5
fixed
libnghttp2_asio-devel
suse enterprise desktop 15 SP5
1.40.0-150200.17.1
fixed
suse enterprise desktop 15 SP6
1.40.0-150600.23.2
fixed
suse enterprise desktop 15 SP7
1.40.0-150600.23.2
fixed
suse enterprise sap 15 SP2
1.40.0-150200.17.1
fixed
suse enterprise sap 15 SP3
1.40.0-150200.17.1
fixed
suse enterprise sap 15 SP4
1.40.0-150200.17.1
fixed
suse enterprise sap 15 SP5
1.40.0-150200.17.1
fixed
suse enterprise sap 15 SP6
1.40.0-150600.23.2
fixed
suse enterprise sap 15 SP7
1.40.0-150600.23.2
fixed
suse enterprise server 15 SP2
1.40.0-150200.17.1
fixed
suse enterprise server 15 SP3
1.40.0-150200.17.1
fixed
suse enterprise server 15 SP4
1.40.0-150200.17.1
fixed
suse enterprise server 15 SP5
1.40.0-150200.17.1
fixed
suse enterprise server 15 SP6
1.40.0-150600.23.2
fixed
suse enterprise server 15 SP7
1.40.0-150600.23.2
fixed
libnghttp2_asio1
suse enterprise desktop 15 SP5
1.40.0-150200.17.1
fixed
suse enterprise desktop 15 SP6
1.40.0-150600.23.2
fixed
suse enterprise desktop 15 SP7
1.40.0-150600.23.2
fixed
suse enterprise sap 15 SP2
1.40.0-150200.17.1
fixed
suse enterprise sap 15 SP3
1.40.0-150200.17.1
fixed
suse enterprise sap 15 SP4
1.40.0-150200.17.1
fixed
suse enterprise sap 15 SP5
1.40.0-150200.17.1
fixed
suse enterprise sap 15 SP6
1.40.0-150600.23.2
fixed
suse enterprise sap 15 SP7
1.40.0-150600.23.2
fixed
suse enterprise server 15 SP2
1.40.0-150200.17.1
fixed
suse enterprise server 15 SP3
1.40.0-150200.17.1
fixed
suse enterprise server 15 SP4
1.40.0-150200.17.1
fixed
suse enterprise server 15 SP5
1.40.0-150200.17.1
fixed
suse enterprise server 15 SP6
1.40.0-150600.23.2
fixed
suse enterprise server 15 SP7
1.40.0-150600.23.2
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
libnghttp2
RHEL 8
0:1.33.0-6.el8_10.1
fixed
RHEL 8.8 AUS
0:1.33.0-5.el8_8.1
fixed
RHEL 8.8 E4S
0:1.33.0-5.el8_8.1
fixed
RHEL 8.8 EUS
0:1.33.0-5.el8_8.1
fixed
RHEL 8.8 TUS
0:1.33.0-5.el8_8.1
fixed
RHEL 9
0:1.43.0-5.el9_4.3
fixed
libnghttp2-devel
RHEL 8
0:1.33.0-6.el8_10.1
fixed
RHEL 8.8 AUS
0:1.33.0-5.el8_8.1
fixed
RHEL 8.8 E4S
0:1.33.0-5.el8_8.1
fixed
RHEL 8.8 EUS
0:1.33.0-5.el8_8.1
fixed
RHEL 8.8 TUS
0:1.33.0-5.el8_8.1
fixed
RHEL 9
0:1.43.0-5.el9_4.3
fixed
nghttp2
RHEL 8
0:1.33.0-6.el8_10.1
fixed
RHEL 8.8 AUS
0:1.33.0-5.el8_8.1
fixed
RHEL 8.8 E4S
0:1.33.0-5.el8_8.1
fixed
RHEL 8.8 EUS
0:1.33.0-5.el8_8.1
fixed
RHEL 8.8 TUS
0:1.33.0-5.el8_8.1
fixed
RHEL 9
0:1.43.0-5.el9_4.3
fixed
nodejs
RHEL 9
1:16.20.2-8.el9_4
fixed
nodejs-docs
RHEL 9
1:16.20.2-8.el9_4
fixed
nodejs-full-i18n
RHEL 9
1:16.20.2-8.el9_4
fixed
nodejs-libs
RHEL 9
1:16.20.2-8.el9_4
fixed
npm
RHEL 9
1:8.19.4-1.16.20.2.8.el9_4
fixed
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2024/04/03/16
https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0
https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9
https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q
https://lists.debian.org/debian-lts-announce/2024/04/msg00026.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGOME6ZXJG7664IPQNVE3DL67E3YP3HY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J6ZMXUGB66VAXDW5J6QSTHM5ET25FGSA/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXJO2EASHM2OQQLGVDY5ZSO7UVDVHTDK/
http://www.openwall.com/lists/oss-security/2024/04/03/16
https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0
https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9
https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q
https://lists.debian.org/debian-lts-announce/2024/04/msg00026.html
https://lists.debian.org/debian-lts-announce/2024/09/msg00041.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGOME6ZXJG7664IPQNVE3DL67E3YP3HY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J6ZMXUGB66VAXDW5J6QSTHM5ET25FGSA/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXJO2EASHM2OQQLGVDY5ZSO7UVDVHTDK/
https://www.kb.cert.org/vuls/id/421644