CVE-2026-22776
Published: 12 January 2026
Summary
CVE-2026-22776 is a high-severity Data Amplification (CWE-409) vulnerability in Yhirose Cpp-Httplib. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 27.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2026-22776 is a Denial of Service (DoS) vulnerability in cpp-httplib, a C++11 single-file header-only cross-platform HTTP/HTTPS library. The issue affects versions prior to 0.30.1 and stems from unsafe handling of compressed HTTP request bodies using Content-Encoding such as gzip or br. Specifically, the library enforces the payload_max_length limit only against the size of the compressed data received from the network, without restricting the size of the decompressed data allocated in memory. This flaw is rated at CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-409 (Improper Handling of Highly Compressed Data).
An attacker can exploit this vulnerability remotely over the network with low complexity, requiring no privileges or user interaction. By sending a malicious HTTP request with a small compressed body that expands significantly upon decompression—such as a gzip-encoded payload—the attacker can force the server to allocate excessive memory. This leads to memory exhaustion, potential out-of-memory crashes, or severe degradation of service availability on affected cpp-httplib-based HTTP servers.
Mitigation is available via the patch in cpp-httplib version 0.30.1, detailed in the fix commit at https://github.com/yhirose/cpp-httplib/commit/2e2e47bab1ae6a853476eecbc4bf279dd1fef792. The GitHub security advisory at https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h934-98h4-j43q provides further guidance, recommending immediate upgrades for applications using vulnerable versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2006
Vulnerability details
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates…
more
the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote application-layer DoS via memory exhaustion from decompressed payload, directly matching T1499.004 (Application or System Exploitation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-5 directly implements denial-of-service protections to limit or prevent resource exhaustion from malicious compressed HTTP requests that expand excessively upon decompression.
SC-6 provides mechanisms to protect memory and other resources from availability impacts caused by unbounded allocation during decompression of gzip or br encoded payloads.
SI-2 requires timely identification, reporting, and remediation of flaws like CVE-2026-22776 through patching cpp-httplib to version 0.30.1 or later.