CVE-2025-8671MadeYouReset: Improper Resource Shutdown or Release in Linux Enterprise Server

CWE-404Improper Resource Shutdown or ReleaseCWE-400Uncontrolled Resource Consumption12 documents7 sources
Severity
7.5HIGHNVD
OSV3.7
EPSS
0.5%
top 32.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
19
Suse Linux Enterprise DesktopSuse Linux Enterprise High Performance ComputingSuse Linux Enterprise Module FOR DEV Tools+16 more
Timeline
PublishedAug 13
Latest updateFeb 12

Description

A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). By opening streams and then rapidly triggering the server to reset them—using malformed frames or flow control errors—an attacker can exploit incorrect stream accounting. Streams reset by the server are considered closed at the protocol level, even though

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages19 packages

Packagistamphp/http-server3.0.0-beta.13.4.4+1
CVEListV5suse_linux/enterprise_server12 SP515 SP7

🔴Vulnerability Details

8
OSV
dnsdist vulnerabilities2026-02-12
GHSA
amphp/http-server affected by HTTP/2 DDoS vulnerability2026-02-10
OSV
amphp/http-server affected by HTTP/2 DDoS vulnerability2026-02-10
OSV
Pingora update for MadeYouReset HTTP/2 vulnerability2025-09-17
GHSA
Pingora update for MadeYouReset HTTP/2 vulnerability2025-09-17

📋Vendor Advisories

3
Ubuntu
DNSdist vulnerabilities2026-02-12
Red Hat
upstream:2025-08-13
Debian
CVE-2025-8671: h2o - A mismatch caused by client-triggered server-sent stream resets between HTTP/2 s...2025
CVE-2025-8671 — MadeYouReset | cvebase