CVE-2024-28182
Published: 04 April 2024
Summary
CVE-2024-28182 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Fedoraproject Fedora. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
nghttp2 is a C implementation of the HTTP/2 protocol, and the vulnerability affects versions of the library prior to 1.61.0. It stems from the library continuing to process an unbounded number of HTTP/2 CONTINUATION frames after a stream reset in order to maintain HPACK decoder state, which leads to excessive CPU consumption during HPACK decoding. The issue is tracked as CWE-770 and carries a CVSS 3.1 base score of 5.3 reflecting an availability impact.
An unauthenticated remote attacker can send a crafted sequence of CONTINUATION frames against any application or service that uses a vulnerable nghttp2 build to handle incoming HTTP/2 traffic. Successful exploitation results in sustained high CPU usage on the target, degrading service responsiveness or causing denial of service without requiring authentication or user interaction.
The nghttp2 1.61.0 release addresses the flaw by enforcing a limit on the number of CONTINUATION frames accepted per stream. No workaround exists, and downstream distributions such as Debian have issued updated packages that incorporate the upstream fix. The associated EPSS score has remained essentially flat near 0.25 with only a negligible peak-to-current difference, providing no indication of rising exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-25307
Vulnerability details
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in…
more
sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-28182 in nghttp2 allows remote attackers to send unbounded HTTP/2 CONTINUATION frames after stream reset, causing excessive CPU usage for HPACK decoding or OOM, enabling endpoint DoS via application exploitation.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
This control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits.
Plan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use.
Contingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages.
Provides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime.
Alternate services allow operations to continue when primary allocation of resources lacks limits or throttling.
Explicit planning of security-related actions requires defining limits, windows, and resource allocations, making allocation without throttling far less likely.
Measures of performance include tracking allocation behavior and throttling effectiveness, reducing the window for resource exhaustion attacks.
Imposes an inactivity-based limit on network resource allocation, throttling the number of concurrently held connections.