Description

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.

INFO

Published Date :

2024-04-04T14:41:36.587Z

Last Modified :

2025-11-04T18:30:26.332Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-28182 vulnerability.

Vendors Products
Debian
  • Debian Linux
Fedoraproject
  • Fedora
Nghttp2
  • Nghttp2
Redhat
  • Enterprise Linux
  • Jboss Core Services
  • Rhel Aus
  • Rhel E4s
  • Rhel Eus
  • Rhel Tus

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact