Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.
2019-08-13T21:15:12.380
2025-01-14T19:29:55.853
Modified
CVSSv3.1: 7.5 (HIGH)
AV:N/AC:L/Au:N/C:N/I:N/A:C
10.0
6.9
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | apple | swiftnio | ≤ 1.4.0 | Yes |
| Operating System | apple | mac_os_x | ≥ 10.12 | No |
| Operating System | canonical | ubuntu_linux | ≥ 14.04 | No |
| Application | apache | traffic_server | ≤ 6.2.3 | Yes |
| Application | apache | traffic_server | ≤ 7.1.6 | Yes |
| Application | apache | traffic_server | ≤ 8.0.3 | Yes |
| Operating System | canonical | ubuntu_linux | 16.04 | Yes |
| Operating System | canonical | ubuntu_linux | 18.04 | Yes |
| Operating System | canonical | ubuntu_linux | 19.04 | Yes |
| Operating System | debian | debian_linux | 9.0 | Yes |
| Operating System | debian | debian_linux | 10.0 | Yes |
| Operating System | fedoraproject | fedora | 30 | Yes |
| Application | synology | skynas | - | Yes |
| Operating System | synology | diskstation_manager | 6.2 | Yes |
| Operating System | synology | vs960hd_firmware | - | Yes |
| Hardware | synology | vs960hd | - | No |
| Operating System | debian | debian_linux | 9.0 | Yes |
| Operating System | debian | debian_linux | 10.0 | Yes |
| Operating System | fedoraproject | fedora | 29 | Yes |
| Operating System | fedoraproject | fedora | 30 | Yes |
| Operating System | opensuse | leap | 15.0 | Yes |
| Operating System | opensuse | leap | 15.1 | Yes |
| Application | redhat | jboss_core_services | 1.0 | Yes |
| Application | redhat | jboss_enterprise_application_platform | 7.2.0 | Yes |
| Application | redhat | jboss_enterprise_application_platform | 7.3.0 | Yes |
| Application | redhat | openshift_service_mesh | 1.0 | Yes |
| Application | redhat | quay | 3.0.0 | Yes |
| Application | redhat | software_collections | 1.0 | Yes |
| Operating System | redhat | enterprise_linux | 8.0 | Yes |
| Application | oracle | graalvm | 19.2.0 | Yes |
| Application | mcafee | web_gateway | < 7.7.2.24 | Yes |
| Application | mcafee | web_gateway | < 7.8.2.13 | Yes |
| Application | mcafee | web_gateway | < 8.2.0 | Yes |
| Application | f5 | nginx | < 1.16.1 | Yes |
| Application | f5 | nginx | ≤ 1.17.2 | Yes |
| Application | oracle | enterprise_communications_broker | 3.1.0 | Yes |
| Application | oracle | enterprise_communications_broker | 3.2.0 | Yes |
| Application | nodejs | node.js | ≤ 8.8.1 | Yes |
| Application | nodejs | node.js | < 8.16.1 | Yes |
| Application | nodejs | node.js | ≤ 10.12.0 | Yes |
| Application | nodejs | node.js | < 10.16.3 | Yes |
| Application | nodejs | node.js | < 12.8.1 | Yes |