CVE-2023-35945 HIGH

CVE-2023-35945: Envoy vulnerable to HTTP/2 memory leak in nghttp2 codec

Vendor Envoyproxy

Product envoy

Weakness CWE-400

Published July 13, 2023

Last update October 31, 2024

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the `GOAWAY` frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return [code path] is taken if connection is already marked for not sending more requests due to `GOAWAY` frame. The clean-up code is right after the return statement, causing memory leak. Denial of service through memory exhaustion. This vulnerability was patched in versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.

Key dates

02Disclosure timeline

July 13, 2023 CVE published

October 31, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-35945 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/400.html

Related vulnerabilities

Identifiers

CVE CVE-2023-35945

CWE CWE-400

CVSS 7.5 / HIGH

Affected versions

Vendor Envoyproxy

Product envoy

Affected >= 1.26.0, < 1.26.3

Vendor Envoyproxy

Product envoy

Affected >= 1.25.0, < 1.25.8

Vendor Envoyproxy

Product envoy

Affected >= 1.24.0, < 1.24.9

Vendor Envoyproxy

Product envoy

Affected >= 1.23.0, < 1.23.11

CVE-2023-35945: Envoy vulnerable to HTTP/2 memory leak in nghttp2 codec

01Description

02Disclosure timeline

03References

04Related CVE