CVE-2019-9516 HIGH

CVE-2019-9516: Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service

Vendor N/A
Product n/a
Weakness CWE-400
Published August 13, 2019
Last update August 4, 2024

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.

Key dates

02Disclosure timeline

August 13, 2019 CVE published
August 4, 2024 Record updated