928538 – (VU#421644) [TRACKER] HTTP/2 CONTINUATION frames can be utilized for DoS attacks

Bug 928538 (VU#421644) - [TRACKER] HTTP/2 CONTINUATION frames can be utilized for DoS attacks

Summary: [TRACKER] HTTP/2 CONTINUATION frames can be utilized for DoS attacks

Status:	CONFIRMED

Alias:	VU#421644

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://kb.cert.org/vuls/id/421644
Whiteboard:
Keywords:	Tracker

Depends on:	CVE-2024-27982, CVE-2024-27983 CVE-2023-45288 CVE-2023-38709, CVE-2024-24795, CVE-2024-27316 CVE-2024-28182 CVE-2024-2609, CVE-2024-3302, CVE-2024-3854, CVE-2024-3857, CVE-2024-3859, CVE-2024-3861, CVE-2024-3864, MSFA2024-18, MSFA2024-19, MSFA2024-20
Blocks:
	Show dependency tree

Reported:	2024-04-03 22:09 UTC by Christopher Fore
Modified:	2024-04-21 17:49 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christopher Fore 2024-04-03 22:09:24 UTC

HTTP allows messages to include named fields in both header and trailer sections. These header and trailer fields are serialised as field blocks in HTTP/2, so that they can be transmitted in multiple fragments to the target implementation. Many HTTP/2 implementations do not properly limit or sanitize the amount of CONTINUATION frames sent within a single stream. An attacker that can send packets to a target server can send a stream of CONTINUATION frames that will not be appended to the header list in memory but will still be processed and decoded by the server or will be appended to the header list, causing an out of memory (OOM) crash.