CVE-2024-28182
nghttp2 - security update
5.3
MEDIUM
CVSS 3.1
EPSS 25.0%
Description
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.
How to fix CVE-2024-28182
To remediate CVE-2024-28182, upgrade the affected package to a fixed version below.
- —upgrade to 1.43.0-1+deb11u2 or later
- —upgrade to 1.36.0-2+deb10u3 or later
- —upgrade to 1.43.0-1+deb11u2 or later
Is CVE-2024-28182 being exploited?
Moderate — EPSS is 25.0%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (3)
- from 0, < 1.43.0-1+deb11u2
- from 0, < 1.36.0-2+deb10u3
- from 0, < 1.43.0-1+deb11u2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |