CVE-2021-44716
published 2022-01-01CVE-2021-44716: net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
3.96%
89.1th percentile
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
Affected
36 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | golang-1.15 | < golang-1.15 1.15.15-1~deb11u2 (bullseye) | golang-1.15 1.15.15-1~deb11u2 (bullseye) |
| debian | golang-golang-x-net | < golang-1.15 1.15.15-1~deb11u2 (bullseye) | golang-1.15 1.15.15-1~deb11u2 (bullseye) |
| github.com | spiffe_spire | >= 0 < 1.0.3 | 1.0.3 |
| github.com | spiffe_spire | >= 1.1.0 < 1.1.3 | 1.1.3 |
| golang.org | x_net | >= 0 < 0.0.0-20211209124913-491a49abca63 | 0.0.0-20211209124913-491a49abca63 |
| golang.org | x_net_http2 | >= 0 < 0.0.0-20211209124913-491a49abca63 | 0.0.0-20211209124913-491a49abca63 |
| golang | go | < 1.16.12 | 1.16.12 |
| golang | go | >= 1.17.0 < 1.17.5 | 1.17.5 |
| msrc | azl3_keda_2.14.0-1 | — | — |
| msrc | azl3_keda_2.4.0-15 | — | — |
| msrc | azl3_moby-engine_20.10.25-3 | — | — |
| msrc | azl3_moby-engine_25.0.3-1 | — | — |
| msrc | azl3_multus_3.8-13 | — | — |
| msrc | azl3_multus_4.0.2-1 | — | — |
| msrc | azl3_node-problem-detector_0.8.10-18 | — | — |
| msrc | azl3_node-problem-detector_0.8.15-1 | — | — |
| msrc | azl3_prometheus-process-exporter_0.7.10-15 | — | — |
| msrc | azl3_prometheus-process-exporter_0.8.2-1 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_application-gateway-kubernetes-ingress_1.4.0-19 | — | — |
| msrc | cbl2_application-gateway-kubernetes-ingress_1.4.0-25 | — | — |
| msrc | cbl2_cf-cli_8.4.0-16 | — | — |
| msrc | cbl2_cf-cli_8.4.0-24 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
ghsa7.5HIGH
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qv84-5j9v-4hj7: The etcd package distributed with the Red Hat OpenStack platform has an incomplete fix for CVE-2021-44716
ghsa_unreviewed·2024-05-08·CVSS 7.5
CVE-2024-4437 [HIGH] CWE-400 GHSA-qv84-5j9v-4hj7: The etcd package distributed with the Red Hat OpenStack platform has an incomplete fix for CVE-2021-44716
The etcd package distributed with the Red Hat OpenStack platform has an incomplete fix for CVE-2021-44716. This issue occurs because the etcd package in the Red Hat OpenStack platform is using http://golang.org/x/net/http2 instead of the one provided by Red Hat Enterprise Linux versions, meaning it should be updated at compile time instead.
OSV
Unbounded memory growth in net/http and golang.org/x/net/http2
osv·2022-07-15
CVE-2021-44716 Unbounded memory growth in net/http and golang.org/x/net/http2
Unbounded memory growth in net/http and golang.org/x/net/http2
An attacker can cause unbounded memory growth in servers accepting HTTP/2 requests.
GHSA
Unbounded memory usage on exposed HTTP/2 (non-gRPC) endpoints
ghsa·2022-01-12·CVSS 7.5
CVE-2021-44716 [HIGH] Unbounded memory usage on exposed HTTP/2 (non-gRPC) endpoints
Unbounded memory usage on exposed HTTP/2 (non-gRPC) endpoints
### Impact
The net/http Go package has a reported vulnerability tracked under CVE-2021-44716 which allows attacker controlled HTTP/2 requests to trigger unbounded memory usage in HTTP/2 endpoints. gRPC endpoints are not vulnerable as they rely on their own HTTP/2 implementation instead of the net/http package. HTTP/2 endpoints consuming the net/http package within SPIRE server and agent (or other components in this repository) that are _on by default_ include the following:
- OIDC Discovery Provider
- K8s Workload Registrar in webhook mode
The following endpoints are vulnerable _when enabled_:
- SPIRE server bundle endpoint (i.e. Federation API)
The following endpoints are _NOT_ vulnerable, since HTTP/2 support in go is not e
OSV
Unbounded memory usage on exposed HTTP/2 (non-gRPC) endpoints
osv·2022-01-12·CVSS 7.5
CVE-2021-44716 [HIGH] Unbounded memory usage on exposed HTTP/2 (non-gRPC) endpoints
Unbounded memory usage on exposed HTTP/2 (non-gRPC) endpoints
### Impact
The net/http Go package has a reported vulnerability tracked under CVE-2021-44716 which allows attacker controlled HTTP/2 requests to trigger unbounded memory usage in HTTP/2 endpoints. gRPC endpoints are not vulnerable as they rely on their own HTTP/2 implementation instead of the net/http package. HTTP/2 endpoints consuming the net/http package within SPIRE server and agent (or other components in this repository) that are _on by default_ include the following:
- OIDC Discovery Provider
- K8s Workload Registrar in webhook mode
The following endpoints are vulnerable _when enabled_:
- SPIRE server bundle endpoint (i.e. Federation API)
The following endpoints are _NOT_ vulnerable, since HTTP/2 support in go is not e
OSV
golang.org/x/net/http2 allows uncontrolled memory consumption
osv·2022-01-02
CVE-2021-44716 [HIGH] golang.org/x/net/http2 allows uncontrolled memory consumption
golang.org/x/net/http2 allows uncontrolled memory consumption
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
GHSA
golang.org/x/net/http2 allows uncontrolled memory consumption
ghsa·2022-01-02
CVE-2021-44716 [HIGH] CWE-400 golang.org/x/net/http2 allows uncontrolled memory consumption
golang.org/x/net/http2 allows uncontrolled memory consumption
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
OSV
CVE-2021-44716: net/http in Go before 1
osv·2022-01-01·CVSS 7.5
CVE-2021-44716 [HIGH] CVE-2021-44716: net/http in Go before 1
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
Palo Alto
PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-11-01·CVSS 9.8
CVE-2017-12424 [CRITICAL] PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2017-12424, CVE-2021-3114, CVE-2021-31525, CVE-2021-33195, CVE-2021-33197, CVE-2021-33198, CVE-2021-34558, CVE-2021-36221, CVE-2021-4034, CVE-2021-44716, CVE-2021-44717, CVE-2022-1664, CVE-2022-1705, CVE-2022-23772, CVE-2022-24675, CVE-2022-24921, CVE-2022-28327, CVE-2022-2880, CVE-2022-29526, CVE-2022-30629, CVE-2022-30631, CVE-2022-30632, CVE-2022-32148, CVE-2022-32189, CVE-2022-41715, CVE-2022-41717, CVE-2022-41724, CVE-2022-41725, CVE-2023-24534, CVE-2023-24536, CVE-2023-24539, CVE-2023-29406, CVE-2023-29409, CVE-2023-39
Red Hat
etcd: Incomplete fix for CVE-2021-44716 in OpenStack Platform
vendor_redhat·2024-05-06·CVSS 7.5
CVE-2024-4437 [HIGH] CWE-400 etcd: Incomplete fix for CVE-2021-44716 in OpenStack Platform
etcd: Incomplete fix for CVE-2021-44716 in OpenStack Platform
The etcd package distributed with the Red Hat OpenStack platform has an incomplete fix for CVE-2021-44716. This issue occurs because the etcd package in the Red Hat OpenStack platform is using http://golang.org/x/net/http2 instead of the one provided by Red Hat Enterprise Linux versions, meaning it should be updated at compile time instead.
The etcd package distributed with the Red Hat OpenStack platform has an incomplete fix for CVE-2021-44716. This issue occurs because the etcd package in the Red Hat OpenStack platform is using http://golang.org/x/net/http2 instead of the one provided by Red Hat Enterprise Linux versions, meaning it should be updated at compile time instead.
Statement: The Red Hat OpenStack 17.1 is not affe
CISA ICS
Siemens Brownfield Connectivity Gateway
cisa_ics·2023-02-16·CVSS 7.5
[HIGH] Siemens Brownfield Connectivity Gateway
ICS Advisory
##
Siemens Brownfield Connectivity Gateway
Release DateFebruary 16, 2023
Alert CodeICSA-23-047-04
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
## 1. EXECUTIVE SUMMARY
- CVSS v3 7.5
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: Brownfield Connectivity—Gateway
- Vulnerabilities: Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Input Validation, Uncontrolled Resource Consumption, Exposure of Resource to Wrong S
Microsoft
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
vendor_msrc·2022-01-11·CVSS 7.5
CVE-2021-44716 [HIGH] CWE-400 net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
mitre: m
Red Hat
golang: net/http: limit growth of header canonicalization cache
vendor_redhat·2021-12-09·CVSS 7.5
CVE-2021-44716 [HIGH] CWE-400 golang: net/http: limit growth of header canonicalization cache
golang: net/http: limit growth of header canonicalization cache
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
There's an uncontrolled resource consumption flaw in golang's net/http library in the canonicalHeader() function. An attacker who submits specially crafted requests to applications linked with net/http's http2 functionality could cause excessive resource consumption that could lead to a denial of service or otherwise impact to system performance and resources.
Statement: For OpenShift Container Platform, OpenShift Virtualization, Red Hat Quay and OpenShift distributed tracing the most an attacker can possibly achieve by exploiting this vulnerability is to crash a container,
Debian
CVE-2021-44716: golang-1.15 - net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memor...
vendor_debian·2021·CVSS 7.5
CVE-2021-44716 [HIGH] CVE-2021-44716: golang-1.15 - net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memor...
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
Scope: local
bullseye: resolved (fixed in 1.15.15-1~deb11u2)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdfhttps://groups.google.com/g/golang-announce/c/hcmEScgc00khttps://lists.debian.org/debian-lts-announce/2022/01/msg00016.htmlhttps://lists.debian.org/debian-lts-announce/2022/01/msg00017.htmlhttps://lists.debian.org/debian-lts-announce/2023/04/msg00021.htmlhttps://security.gentoo.org/glsa/202208-02https://security.netapp.com/advisory/ntap-20220121-0002/https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdfhttps://groups.google.com/g/golang-announce/c/hcmEScgc00khttps://lists.debian.org/debian-lts-announce/2022/01/msg00016.htmlhttps://lists.debian.org/debian-lts-announce/2022/01/msg00017.htmlhttps://lists.debian.org/debian-lts-announce/2023/04/msg00021.htmlhttps://security.gentoo.org/glsa/202208-02https://security.netapp.com/advisory/ntap-20220121-0002/
2022-01-01
Published