Published: 04/04/2024 Updated: 21/04/2024

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.

Debian Bug report logs - #1068412 apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709 Package: src:apache2; Maintainer for src:apache2 is Debian Apache Maintainers <debian-apache@listsdebianorg>; Reported by: Moritz Mühlenhoff <jmm@inutilorg> Date: Thu, 4 Apr 2024 18:54:02 UTC Severity: grave Tags: security, u ...

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response If a client does not stop sending headers, this leads to memory exhaustion (CVE-2024-27316) ...

oss-sec mailing list archives   By Date By Thread </form>    CERT/CC VU#421644: HTTP/2 CONTINUATION frames can be utilized for DoS attacks  <!--X-Head-of-Messag ...

oss-sec mailing list archives   By Date By Thread </form>    CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames  ...

Proof of concept (PoC) for cve-2024-27316 (tested), CVE-2024-30255 (untested), CVE-2024-31309 (untested), CVE-2024-28182 (untested), CVE-2024-2653 (untested) and CVE-2024-27919 (untested)

CVE-2024-27316 I decided to call this vulnerability specifically "CVE-2024-27316" since I have tested it against this vulnerability The underlying flaw effects other CVEs so I thought I'd mention those with the hope that others could test and modify this PoC :) This PoC currently only works against unencrypted http/2 servers Sources: wwwkbcertorg/vu

CVE-2024-27316 (HTTP/2 CONTINUATION flood) PoC Target server (Apache httpd) Start docker-compose up -d Connectivity check httpd v2458 (vulnerable) curl --http2 -i --head localhost:3392/ curl --http2 -i --head -k localhost:3393/ httpd v2459 (fixed version) curl --http2 -i --head http

New HTTP/2 DoS attack can crash web servers with a single connection

BleepingComputer • Bill Toulas • 04 Apr 2024

New HTTP/2 DoS attack can crash web servers with a single connection By Bill Toulas April 4, 2024 11:28 AM 0 Newly discovered HTTP/2 protocol vulnerabilities called "CONTINUATION Flood" can lead to denial of service (DoS) attacks, crashing web servers with a single TCP connection in some implementations. HTTP/2 is an update to the HTTP protocol standardized in 2015, designed to improve web performance by introducing binary framing for efficient data transmission, multiplexing to allow multiple r...

CVE-2024-27316

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Mailing Lists

Github Repositories

Recent Articles

References

Vulmon Search

About

Products

Connect