CVE-2026-22776
Published: 12 January 2026
Summary
CVE-2026-22776 is a high-severity Data Amplification (CWE-409) vulnerability in Yhirose Cpp-Httplib. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 23.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Limits effects of data amplification from compressed or malicious inputs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote application-layer DoS via memory exhaustion from decompressed payload, directly matching T1499.004 (Application or System Exploitation).
NVD Description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates…
more
the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory.
Deeper analysisAI
CVE-2026-22776 is a Denial of Service (DoS) vulnerability in cpp-httplib, a C++11 single-file header-only cross-platform HTTP/HTTPS library. The issue affects versions prior to 0.30.1 and stems from unsafe handling of compressed HTTP request bodies using Content-Encoding such as gzip or br. Specifically, the library enforces the payload_max_length limit only against the size of the compressed data received from the network, without restricting the size of the decompressed data allocated in memory. This flaw is rated at CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-409 (Improper Handling of Highly Compressed Data).
An attacker can exploit this vulnerability remotely over the network with low complexity, requiring no privileges or user interaction. By sending a malicious HTTP request with a small compressed body that expands significantly upon decompression—such as a gzip-encoded payload—the attacker can force the server to allocate excessive memory. This leads to memory exhaustion, potential out-of-memory crashes, or severe degradation of service availability on affected cpp-httplib-based HTTP servers.
Mitigation is available via the patch in cpp-httplib version 0.30.1, detailed in the fix commit at https://github.com/yhirose/cpp-httplib/commit/2e2e47bab1ae6a853476eecbc4bf279dd1fef792. The GitHub security advisory at https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h934-98h4-j43q provides further guidance, recommending immediate upgrades for applications using vulnerable versions.
Details
- CWE(s)