Memory Allocation Flaw in Moby's spdystream Go Library
CVE-2026-35469

8.7HIGH

Key Information:

Vendor: Moby
Status: Spdystream
Vendor: CVE Published:; 16 April 2026

What is CVE-2026-35469?

The spdystream Go library, used for multiplexing streams over SPDY connections, has a significant memory allocation vulnerability in versions 0.5.0 and earlier. The SPDY/3 frame parser fails to properly validate counts and lengths that can be controlled by an attacker, leading to potential memory exhaustion and process crashes. Specifically, this affects the SETTINGS frame entry count and header field sizes, which are read as 32-bit integers and directly used as allocation sizes without adequate bounds checking. An adversary sending crafted SPDY frames to a service utilizing this library can exploit this flaw to provoke an out-of-memory condition. This issue has been addressed in version 0.5.1.

Affected Version(s)

spdystream < 0.5.1

References

https://github.com/moby/spdystream/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/moby/spdystream/releases/tag/v0.5.1

x_refsource_MISC

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35469 Data

JSON