CVE-2019-9516

January 16, 2021

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.

Summary:

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.

Reference Links(if available):

  • https://kb.cert.org/vuls/id/605641/
  • https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
  • https://seclists.org/bugtraq/2019/Aug/24
  • https://usn.ubuntu.com/4099-1/
  • http://seclists.org/fulldisclosure/2019/Aug/16

    • CVSS Score (if available)

    v2: / MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:C

    v3: / HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    Links to Exploits(if available)

  • Tags: , , , ,

    You may have missed

    image

    [NITROGEN] – Ransomware Victim: Progressive Auto Group

    July 15, 2025
    image

    [INCRANSOM] – Ransomware Victim: CF Construction Ltd

    July 15, 2025
    image

    [INCRANSOM] – Ransomware Victim: www[.]marvimundo[.]com

    July 15, 2025
    image

    CVE Alert: CVE-2025-51657

    July 15, 2025
    image

    CVE Alert: CVE-2025-7626

    July 15, 2025