cbcvebase.
CVE-2024-28182
published 2024-04-04

CVE-2024-28182: nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number…

PriorityP348medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
84.96%
99.7th percentile
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.

Affected

40 ranges· showing 25
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiannghttp2< nghttp2 1.52.0-1+deb12u2 (bookworm)nghttp2 1.52.0-1+deb12u2 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
msrcazl3_cmake_3.29.6-1_on_azure_linux_3.0
msrcazl3_cmake_3.30.3-6_on_azure_linux_3.0
msrcazl3_fluent-bit_3.1.9-2_on_azure_linux_3.0
msrcazl3_fluent-bit_3.1.9-4_on_azure_linux_3.0
msrcazl3_nghttp2_1.59.0-1_on_azure_linux_3.0
msrcazl3_nghttp2_1.61.0-1_on_azure_linux_3.0
msrcazl3_nodejs_20.10.0-2_on_azure_linux_3.0
msrcazl3_nodejs_20.14.0-1_on_azure_linux_3.0
msrcazl3_rust_1.75.0-14_on_azure_linux_3.0
msrcazl3_rust_1.75.0-1_on_azure_linux_3.0
msrcazl3_rust_1.86.0-1_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl2_cmake_3.21.4-14_on_cbl_mariner_2.0
msrccbl2_cmake_3.21.4-17_on_cbl_mariner_2.0
msrccbl2_fluent-bit_3.0.6-1_on_cbl_mariner_2.0
msrccbl2_fluent-bit_3.0.6-2_on_cbl_mariner_2.0
msrccbl2_nghttp2_1.57.0-2_on_cbl_mariner_2.0
msrccbl2_nodejs18_18.20.2-2_on_cbl_mariner_2.0

Detection & IOCsextracted from sources · hover to see the quote

  • Detect excessive HTTP/2 CONTINUATION frames sent within a single stream, which may indicate a DoS attempt exploiting CVE-2024-28182
  • Monitor for unauthenticated remote sources sending high volumes of HTTP/2 CONTINUATION frames to servers running nghttp2 < 1.61.0, which could cause CPU or memory exhaustion
  • Alert on sustained abnormal CPU utilization on HTTP/2-serving hosts running nghttp2 prior to 1.61.0, as the attack manifests as excessive CPU usage that subsides after the attack ends
  • ·nghttp2 v1.61.0 introduced a mitigation by limiting the number of CONTINUATION frames accepted per stream; ensure deployed versions meet or exceed this threshold
  • ·No workaround exists for this vulnerability; patching to nghttp2 >= 1.61.0 is the only remediation
  • ·Several Red Hat packages (nodejs:16/nodejs on RHEL 8, httpd24-nghttp2 and rh-nodejs14-nodejs in Red Hat Software Collections) are marked 'Will not fix', meaning those environments remain permanently exposed
  • ·The vulnerability is exploitable remotely over HTTP/2 without authentication, broadening the attack surface for any internet-facing nghttp2-based service

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian5.3MEDIUM
vendor_msrc5.3MEDIUM
vendor_oracle5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.