CVE-2024-28182

EUVD-2024-25307
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync.  This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
GitHub_MCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 96%
Affected Products (NVD)
VendorProductVersion
nghttp2nghttp2
𝑥
< 1.61.0
debiandebian_linux
10.0
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
nghttp2
bookworm
1.52.0-1+deb12u2
fixed
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
1.43.0-1+deb11u2
fixed
forky
1.64.0-1.1
fixed
sid
1.64.0-1.1
fixed
trixie
1.64.0-1.1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
nghttp2
bionic
Fixed 1.30.0-1ubuntu1+esm2
released
focal
Fixed 1.40.0-1ubuntu0.3
released
jammy
Fixed 1.43.0-1ubuntu0.2
released
mantic
Fixed 1.55.1-1ubuntu0.2
released
noble
Fixed 1.59.0-1ubuntu0.1
released
xenial
Fixed 1.7.1-1ubuntu0.1~esm2
released
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2024/04/03/16
https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0
https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9
https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q
https://lists.debian.org/debian-lts-announce/2024/04/msg00026.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGOME6ZXJG7664IPQNVE3DL67E3YP3HY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J6ZMXUGB66VAXDW5J6QSTHM5ET25FGSA/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXJO2EASHM2OQQLGVDY5ZSO7UVDVHTDK/
http://www.openwall.com/lists/oss-security/2024/04/03/16
https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0
https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9
https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q
https://lists.debian.org/debian-lts-announce/2024/04/msg00026.html
https://lists.debian.org/debian-lts-announce/2024/09/msg00041.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGOME6ZXJG7664IPQNVE3DL67E3YP3HY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J6ZMXUGB66VAXDW5J6QSTHM5ET25FGSA/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXJO2EASHM2OQQLGVDY5ZSO7UVDVHTDK/
https://www.kb.cert.org/vuls/id/421644