CVE-2024-28182
published 2024-04-04CVE-2024-28182: nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number…
PriorityP348medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
84.96%
99.7th percentile
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.
Affected
40 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | nghttp2 | < nghttp2 1.52.0-1+deb12u2 (bookworm) | nghttp2 1.52.0-1+deb12u2 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| msrc | azl3_cmake_3.29.6-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_cmake_3.30.3-6_on_azure_linux_3.0 | — | — |
| msrc | azl3_fluent-bit_3.1.9-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_fluent-bit_3.1.9-4_on_azure_linux_3.0 | — | — |
| msrc | azl3_nghttp2_1.59.0-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_nghttp2_1.61.0-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_nodejs_20.10.0-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_nodejs_20.14.0-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.75.0-14_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.75.0-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.86.0-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_cmake_3.21.4-14_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_cmake_3.21.4-17_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_fluent-bit_3.0.6-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_fluent-bit_3.0.6-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_nghttp2_1.57.0-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_nodejs18_18.20.2-2_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect excessive HTTP/2 CONTINUATION frames sent within a single stream, which may indicate a DoS attempt exploiting CVE-2024-28182 ↗
- →Monitor for unauthenticated remote sources sending high volumes of HTTP/2 CONTINUATION frames to servers running nghttp2 < 1.61.0, which could cause CPU or memory exhaustion ↗
- →Alert on sustained abnormal CPU utilization on HTTP/2-serving hosts running nghttp2 prior to 1.61.0, as the attack manifests as excessive CPU usage that subsides after the attack ends ↗
- ·nghttp2 v1.61.0 introduced a mitigation by limiting the number of CONTINUATION frames accepted per stream; ensure deployed versions meet or exceed this threshold ↗
- ·No workaround exists for this vulnerability; patching to nghttp2 >= 1.61.0 is the only remediation ↗
- ·Several Red Hat packages (nodejs:16/nodejs on RHEL 8, httpd24-nghttp2 and rh-nodejs14-nodejs in Red Hat Software Collections) are marked 'Will not fix', meaning those environments remain permanently exposed ↗
- ·The vulnerability is exploitable remotely over HTTP/2 without authentication, broadening the attack surface for any internet-facing nghttp2-based service ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian5.3MEDIUM
vendor_msrc5.3MEDIUM
vendor_oracle5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
nghttp2 vulnerability
osv·2024-05-07·CVSS 7.5
CVE-2019-9511 [HIGH] nghttp2 vulnerability
nghttp2 vulnerability
USN-6754-1 fixed vulnerabilities in nghttp2. This update provides the
corresponding update for Ubuntu 24.04 LTS.
Original advisory details:
It was discovered that nghttp2 incorrectly handled the HTTP/2
implementation. A remote attacker could possibly use this issue to cause
nghttp2 to consume resources, leading to a denial of service. This issue
only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-9511,
CVE-2019-9513)
It was discovered that nghttp2 incorrectly handled request cancellation. A
remote attacker could possibly use this issue to cause nghttp2 to consume
resources, leading to a denial of service. This issue only affected Ubuntu
16.04 LTS and Ubuntu 18.04 LTS. (CVE-2023-44487)
It was discovered that nghttp2 could be made to process an unlimited
OSV
nghttp2 vulnerabilities
osv·2024-04-25·CVSS 7.5
CVE-2019-9511 [HIGH] nghttp2 vulnerabilities
nghttp2 vulnerabilities
It was discovered that nghttp2 incorrectly handled the HTTP/2
implementation. A remote attacker could possibly use this issue to cause
nghttp2 to consume resources, leading to a denial of service. This issue
only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-9511,
CVE-2019-9513)
It was discovered that nghttp2 incorrectly handled request cancellation. A
remote attacker could possibly use this issue to cause nghttp2 to consume
resources, leading to a denial of service. This issue only affected Ubuntu
16.04 LTS and Ubuntu 18.04 LTS. (CVE-2023-44487)
It was discovered that nghttp2 could be made to process an unlimited number
of HTTP/2 CONTINUATION frames. A remote attacker could possibly use this
issue to cause nghttp2 to consume resources, leading to a d
OSV
CVE-2024-28182: nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C
osv·2024-04-04·CVSS 5.3
CVE-2024-28182 [MEDIUM] CVE-2024-28182: nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.
Oracle
Oracle Oracle Communications Applications Risk Matrix: Installation (Nghttp2) — CVE-2024-28182
vendor_oracle·2025-10-15·CVSS 5.3
CVE-2024-28182 [MEDIUM] Oracle Oracle Communications Applications Risk Matrix: Installation (Nghttp2) — CVE-2024-28182
Oracle Oracle Communications Applications Risk Matrix: Installation (Nghttp2) vulnerability
CVE: CVE-2024-28182
CVSS: 5.3
Protocol: HTTP/2
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2025 (OCT 2025)
Oracle
Oracle Oracle Communications Risk Matrix: Platform (Nghttp2) — CVE-2024-28182
vendor_oracle·2025-07-15·CVSS 5.3
CVE-2024-28182 [MEDIUM] Oracle Oracle Communications Risk Matrix: Platform (Nghttp2) — CVE-2024-28182
Oracle Oracle Communications Risk Matrix: Platform (Nghttp2) vulnerability
CVE: CVE-2024-28182
CVSS: 5.3
Protocol: HTTP/2
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2025 (JUL 2025)
Oracle
Oracle Oracle Communications Risk Matrix: Security Framework (Nghttp2) — CVE-2024-28182
vendor_oracle·2024-10-15·CVSS 5.3
CVE-2024-28182 [MEDIUM] Oracle Oracle Communications Risk Matrix: Security Framework (Nghttp2) — CVE-2024-28182
Oracle Oracle Communications Risk Matrix: Security Framework (Nghttp2) vulnerability
CVE: CVE-2024-28182
CVSS: 5.3
Protocol: HTTP/2
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2024 (OCT 2024)
CISA ICS
Siemens SINEC NMS
cisa_ics·2024-08-15·CVSS 7.0
[HIGH] Siemens SINEC NMS
ICS Advisory
##
Siemens SINEC NMS
Release DateAugust 15, 2024
Alert CodeICSA-24-228-06
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.4
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SINEC NMS
- Vulnerabilities: Use After Free, Improper Input Validation, Deserialization of Untrusted Data, Improper Restriction of Operations
Oracle
Oracle Oracle Communications Risk Matrix: Install (Nghttp2) — CVE-2024-28182
vendor_oracle·2024-07-15·CVSS 5.3
CVE-2024-28182 [MEDIUM] Oracle Oracle Communications Risk Matrix: Install (Nghttp2) — CVE-2024-28182
Oracle Oracle Communications Risk Matrix: Install (Nghttp2) vulnerability
CVE: CVE-2024-28182
CVSS: 5.3
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2024 (JUL 2024)
Ubuntu
nghttp2 vulnerability
vendor_ubuntu·2024-05-07·CVSS 7.5
CVE-2024-28182 [HIGH] nghttp2 vulnerability
Title: nghttp2 vulnerability
Summary: Several security issues were fixed in nghttp2.
USN-6754-1 fixed vulnerabilities in nghttp2. This update provides the
corresponding update for Ubuntu 24.04 LTS.
Original advisory details:
It was discovered that nghttp2 incorrectly handled the HTTP/2
implementation. A remote attacker could possibly use this issue to cause
nghttp2 to consume resources, leading to a denial of service. This issue
only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-9511,
CVE-2019-9513)
It was discovered that nghttp2 incorrectly handled request cancellation. A
remote attacker could possibly use this issue to cause nghttp2 to consume
resources, leading to a denial of service. This issue only affected Ubuntu
16.04 LTS and Ubuntu 18.04 LTS. (CVE-2023-44487)
It w
Ubuntu
nghttp2 vulnerabilities
vendor_ubuntu·2024-04-25·CVSS 7.5
CVE-2024-28182 [HIGH] nghttp2 vulnerabilities
Title: nghttp2 vulnerabilities
Summary: Several security issues were fixed in nghttp2.
It was discovered that nghttp2 incorrectly handled the HTTP/2
implementation. A remote attacker could possibly use this issue to cause
nghttp2 to consume resources, leading to a denial of service. This issue
only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-9511,
CVE-2019-9513)
It was discovered that nghttp2 incorrectly handled request cancellation. A
remote attacker could possibly use this issue to cause nghttp2 to consume
resources, leading to a denial of service. This issue only affected Ubuntu
16.04 LTS and Ubuntu 18.04 LTS. (CVE-2023-44487)
It was discovered that nghttp2 could be made to process an unlimited number
of HTTP/2 CONTINUATION frames. A remote attacker could possibly use
Microsoft
Reading unbounded number of HTTP/2 CONTINUATION frames to cause excessive CPU usage
vendor_msrc·2024-04-09·CVSS 5.3
CVE-2024-28182 [MEDIUM] CWE-770 Reading unbounded number of HTTP/2 CONTINUATION frames to cause excessive CPU usage
Reading unbounded number of HTTP/2 CONTINUATION frames to cause excessive CPU usage
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner
Red Hat
nghttp2: CONTINUATION frames DoS
vendor_redhat·2024-04-03·CVSS 5.3
CVE-2024-28182 [MEDIUM] CWE-390 nghttp2: CONTINUATION frames DoS
nghttp2: CONTINUATION frames DoS
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.
A vulnerability was found in how nghttp2 implements the HTTP/2 protocol. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated remote attacker to send packets to vulnerable servers, which cou
Debian
CVE-2024-28182: nghttp2 - nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. ...
vendor_debian·2024·CVSS 5.3
CVE-2024-28182 [MEDIUM] CVE-2024-28182: nghttp2 - nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. ...
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.
Scope: local
bookworm: resolved (fixed in 1.52.0-1+deb12u2)
bullseye: resolved (fixed in 1.43.0-1+deb11u2)
forky: resolved (fixed in 1.61.0-1)
sid: resolved (fixed in 1.61.0-1)
trixie: resolved (fixed in 1.61.0-1)
No detection rules found.
No public exploits indexed.
http://www.openwall.com/lists/oss-security/2024/04/03/16https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57qhttps://lists.debian.org/debian-lts-announce/2024/04/msg00026.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/AGOME6ZXJG7664IPQNVE3DL67E3YP3HY/https://lists.fedoraproject.org/archives/list/[email protected]/message/J6ZMXUGB66VAXDW5J6QSTHM5ET25FGSA/https://lists.fedoraproject.org/archives/list/[email protected]/message/PXJO2EASHM2OQQLGVDY5ZSO7UVDVHTDK/http://www.openwall.com/lists/oss-security/2024/04/03/16https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57qhttps://lists.debian.org/debian-lts-announce/2024/04/msg00026.htmlhttps://lists.debian.org/debian-lts-announce/2024/09/msg00041.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/AGOME6ZXJG7664IPQNVE3DL67E3YP3HY/https://lists.fedoraproject.org/archives/list/[email protected]/message/J6ZMXUGB66VAXDW5J6QSTHM5ET25FGSA/https://lists.fedoraproject.org/archives/list/[email protected]/message/PXJO2EASHM2OQQLGVDY5ZSO7UVDVHTDK/https://www.kb.cert.org/vuls/id/421644
2024-04-04
Published