Cyber Resilience

CVE-2024-28182

Medium

Published: 04 April 2024

Published
04 April 2024
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.2497 96.3th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-28182 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Fedoraproject Fedora. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

nghttp2 is a C implementation of the HTTP/2 protocol, and the vulnerability affects versions of the library prior to 1.61.0. It stems from the library continuing to process an unbounded number of HTTP/2 CONTINUATION frames after a stream reset in order to maintain HPACK decoder state, which leads to excessive CPU consumption during HPACK decoding. The issue is tracked as CWE-770 and carries a CVSS 3.1 base score of 5.3 reflecting an availability impact.

An unauthenticated remote attacker can send a crafted sequence of CONTINUATION frames against any application or service that uses a vulnerable nghttp2 build to handle incoming HTTP/2 traffic. Successful exploitation results in sustained high CPU usage on the target, degrading service responsiveness or causing denial of service without requiring authentication or user interaction.

The nghttp2 1.61.0 release addresses the flaw by enforcing a limit on the number of CONTINUATION frames accepted per stream. No workaround exists, and downstream distributions such as Debian have issued updated packages that incorporate the upstream fix. The associated EPSS score has remained essentially flat near 0.25 with only a negligible peak-to-current difference, providing no indication of rising exploitation interest after disclosure.

EU & UK References

Vulnerability details

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in…

more

sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE-2024-28182 in nghttp2 allows remote attackers to send unbounded HTTP/2 CONTINUATION frames after stream reset, causing excessive CPU usage for HPACK decoding or OOM, enabling endpoint DoS via application exploitation.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0048: External Harms

Affected Assets

nghttp2
nghttp2
≤ 1.61.0
debian
debian linux
10.0, 11.0
fedoraproject
fedora
38, 39, 40

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-770

This control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits.

addresses: CWE-770

Plan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use.

addresses: CWE-770

Contingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages.

addresses: CWE-770

Provides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime.

addresses: CWE-770

Alternate services allow operations to continue when primary allocation of resources lacks limits or throttling.

addresses: CWE-770

Explicit planning of security-related actions requires defining limits, windows, and resource allocations, making allocation without throttling far less likely.

addresses: CWE-770

Measures of performance include tracking allocation behavior and throttling effectiveness, reducing the window for resource exhaustion attacks.

addresses: CWE-770

Imposes an inactivity-based limit on network resource allocation, throttling the number of concurrently held connections.

References