CVE-2024-27316

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.

Published: Apr 4, 2024
Updated: Jun 7, 2024
CVE: CVE-2024-27316
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-400
CWE-770

Affected Software
References

Software	From	Fixed in
apache / http_server	2.4.17	2.4.59
fedoraproject / fedora	38	38.x
fedoraproject / fedora	39	39.x
fedoraproject / fedora	40	40.x
netapp / ontap	9	9.x

http://seclists.org/fulldisclosure/2024/Jul/18
http://www.openwall.com/lists/oss-security/2024/04/03/16
http://www.openwall.com/lists/oss-security/2024/04/04/4
https://httpd.apache.org/security/vulnerabilities_24.html
https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/FO73U3SLBYFGIW2YKXOK7RI4D6DJSZ2B/
https://lists.fedoraproject.org/archives/list/[email protected]/message/MIUBKSCJGPJ6M2U63V6BKFDF725ODLG7/
https://lists.fedoraproject.org/archives/list/[email protected]/message/QKKDVFWBKIHCC3WXNH3W75WWY4NW42OB/
https://security.netapp.com/advisory/ntap-20240415-0013/
https://support.apple.com/kb/HT214119
https://www.openwall.com/lists/oss-security/2024/04/03/16

Vulnerability Database

289,598

CVE-2024-27316