CVE-2023-26964: h2 vulnerable to denial of service

April 11, 2023 (updated May 1, 2023)

Hyper is an HTTP library for Rust and h2 is an HTTP 2.0 client & server implementation for Rust. An issue was discovered in h2 v0.2.4 when processing header frames. It incorrectly processes the HTTP2 RST_STREAM frames by not always releasing the memory immediately upon receiving the reset frame, leading to stream stacking. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).

This issue affects users only when dealing with http2 connections.

References

github.com/advisories/GHSA-f8vr-r385-rh5r
github.com/hyperium/h2/issues/621
github.com/hyperium/h2/pull/668
github.com/hyperium/hyper
github.com/hyperium/hyper/issues/2877
nvd.nist.gov/vuln/detail/CVE-2023-26964
rustsec.org/advisories/RUSTSEC-2023-0034.html

Detect and mitigate CVE-2023-26964 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →