nghttp2 Temporarily Buffers Incoming Headers to Prevent Memory Exhaustion
CVE-2024-27316

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Http Server
Vendor: CVE Published:; 4 April 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A vulnerability exists in the nghttp2 component of Apache HTTP Server where incoming HTTP/2 headers exceeding specified limits are temporarily buffered. If a client continues to send headers without pause, it can lead to memory exhaustion due to the inability to effectively process excess data. This situation arises when the server attempts to generate an informative HTTP 413 response, but prolonged header submission can result in server instability and service interruption.

Affected Version(s)

Apache HTTP Server 2.4.17 <= 2.4.58

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-27316
Created by lockness-Ko

References

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

https://www.openwall.com/lists/oss-security/2024/04/03/16

http://www.openwall.com/lists/oss-security/2024/04/04/4

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Apr 9, 2024
👾
Exploit known to exist
Apr 9, 2024
Vulnerability published
Apr 4, 2024

Credit

Bartek Nowotarski (https://nowotarski.info/)