Cyber Resilience

CVE-2026-22776

HighPublic PoC

Published: 12 January 2026

Published
12 January 2026
Modified
15 January 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0035 27.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22776 is a high-severity Data Amplification (CWE-409) vulnerability in Yhirose Cpp-Httplib. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 27.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-22776 is a Denial of Service (DoS) vulnerability in cpp-httplib, a C++11 single-file header-only cross-platform HTTP/HTTPS library. The issue affects versions prior to 0.30.1 and stems from unsafe handling of compressed HTTP request bodies using Content-Encoding such as gzip or br. Specifically, the library enforces the payload_max_length limit only against the size of the compressed data received from the network, without restricting the size of the decompressed data allocated in memory. This flaw is rated at CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-409 (Improper Handling of Highly Compressed Data).

An attacker can exploit this vulnerability remotely over the network with low complexity, requiring no privileges or user interaction. By sending a malicious HTTP request with a small compressed body that expands significantly upon decompression—such as a gzip-encoded payload—the attacker can force the server to allocate excessive memory. This leads to memory exhaustion, potential out-of-memory crashes, or severe degradation of service availability on affected cpp-httplib-based HTTP servers.

Mitigation is available via the patch in cpp-httplib version 0.30.1, detailed in the fix commit at https://github.com/yhirose/cpp-httplib/commit/2e2e47bab1ae6a853476eecbc4bf279dd1fef792. The GitHub security advisory at https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h934-98h4-j43q provides further guidance, recommending immediate upgrades for applications using vulnerable versions.

EU & UK References

Vulnerability details

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates…

more

the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables remote application-layer DoS via memory exhaustion from decompressed payload, directly matching T1499.004 (Application or System Exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28435Same product: Yhirose Cpp-Httplib
CVE-2026-31870Same product: Yhirose Cpp-Httplib
CVE-2025-53628Same product: Yhirose Cpp-Httplib
CVE-2026-32627Same product: Yhirose Cpp-Httplib
CVE-2026-33745Same product: Yhirose Cpp-Httplib
CVE-2026-21428Same product: Yhirose Cpp-Httplib
CVE-2026-21441Shared CWE-409
CVE-2026-22870Shared CWE-409
CVE-2026-43970Shared CWE-409
CVE-2026-1526Shared CWE-409

Affected Assets

yhirose
cpp-httplib
≤ 0.30.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-5 directly implements denial-of-service protections to limit or prevent resource exhaustion from malicious compressed HTTP requests that expand excessively upon decompression.

prevent

SC-6 provides mechanisms to protect memory and other resources from availability impacts caused by unbounded allocation during decompression of gzip or br encoded payloads.

prevent

SI-2 requires timely identification, reporting, and remediation of flaws like CVE-2026-22776 through patching cpp-httplib to version 0.30.1 or later.

References