nghttp2
cpe:2.3:a:nghttp2:nghttp2:*:*:*:*:*:*:*
- <= 1.68.0
A denial-of-service vulnerability has been identified in the nghttp2 library, which implements HTTP/2 in C. This issue affects versions of nghttp2 through 1.68.0. The vulnerability arises because the library fails to properly validate internal states when the public APIs 'nghttp2_session_terminate_session' or 'nghttp2_session_terminate_session2' are called. As a result, after these APIs are invoked, the library continues to read incoming data. If a malformed frame is then received, it can trigger an assertion failure. This vulnerability can be exploited when the library processes certain types of frames, such as ALTSVC or PRIORITY_UPDATE, especially if these frame types are enabled through nghttp2 options.
Exploitation of this vulnerability leads to an assertion failure, causing a denial-of-service condition. In builds where assertions are disabled, the vulnerability may allow the library to continue processing incoming data after the termination session call, potentially leading to other issues.
The vulnerability can be reproduced by calling 'nghttp2_session_terminate_session' or 'nghttp2_session_terminate_session2' while processing ALTSVC frames. After the termination call, a malformed frame that violates the FRAME_SIZE rules should be sent. This sequence will trigger the assertion failure, demonstrating the vulnerability.
Users are advised to upgrade to nghttp2 version 1.68.1, which includes the necessary state validations to prevent the assertion failure. For those using a build that disables assertions, it is still recommended to apply the patch, as the vulnerability could lead to unintended data processing.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.