CVE-2016-8740

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2016-8740
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-8740.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2016-8740
Downstream
Related
Published
2016-12-05T19:59:00Z
Modified
2025-10-21T02:35:54Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in an HTTP/2 request.

References

Affected packages

Git / github.com/apache/httpd

Affected ranges

Type
GIT
Repo
https://github.com/apache/httpd
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
29c63b786ae028d82405421585e91283c8fa0da3

Database specific

vanir_signatures

[
    {
        "id": "CVE-2016-8740-0be1a6b6",
        "source": "https://github.com/apache/httpd/commit/29c63b786ae028d82405421585e91283c8fa0da3",
        "digest": {
            "line_hashes": [
                "244481023149475990456424850895476734125",
                "168040519394189920969892210167506517800",
                "139431050514121276237459091241647733530",
                "284714966141694497850569737308043946749",
                "154048304374484397059762233995036391183",
                "219737829885307372509143401869068772761",
                "290554099235531278015707942428858454509",
                "169703350810207944164328355273129720536"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line",
        "target": {
            "file": "modules/http2/h2_session.c"
        }
    },
    {
        "id": "CVE-2016-8740-10cf6e18",
        "source": "https://github.com/apache/httpd/commit/29c63b786ae028d82405421585e91283c8fa0da3",
        "digest": {
            "length": 1540.0,
            "function_hash": "101208191567229092215005179581469079528"
        },
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "target": {
            "function": "h2_stream_add_header",
            "file": "modules/http2/h2_stream.c"
        }
    },
    {
        "id": "CVE-2016-8740-37cc2b20",
        "source": "https://github.com/apache/httpd/commit/29c63b786ae028d82405421585e91283c8fa0da3",
        "digest": {
            "length": 746.0,
            "function_hash": "35133289215646842858268275242346878128"
        },
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "target": {
            "function": "on_header_cb",
            "file": "modules/http2/h2_session.c"
        }
    },
    {
        "id": "CVE-2016-8740-8892a9f9",
        "source": "https://github.com/apache/httpd/commit/29c63b786ae028d82405421585e91283c8fa0da3",
        "digest": {
            "line_hashes": [
                "330812928712923097647431169060852349694",
                "97962330718371112716733895949993495762",
                "161288343024700098132977802419383077435",
                "292267065053052929177953934748603888727",
                "36057126629300946047816038563126389476",
                "89957812090240971340612567678165689731",
                "146205415267399968769228124982979820038",
                "306884228181902485425325017978175973343",
                "32905650322731696362541229059889047789",
                "16379505148143251773312657069267948909",
                "10851256074961049183059790553469473188",
                "247713302117673057198521258381099537497",
                "65748729280087126396730872948384230666",
                "35988379571957043779869214937787771388",
                "35513896102442032076111771610559934690",
                "183361426703405195366100702376465548034",
                "122740754188583041226320097802970122663",
                "162023900025323705511919602298398980073",
                "50951168893058211790274303055653784378",
                "209968976316518048543613380668427410444",
                "175176200539830981198336514731950225010",
                "258029099397505074905860117525472594082",
                "264116288663167832946635420571092014093",
                "99838132887637535165142863012539037225",
                "270406471116269501362211289259122509978",
                "257597789389724016888757316377339413716",
                "307873686065405842762111767971874098810",
                "317363423084286711502866716741772912823",
                "240434244231299267486927785493765036916",
                "88216972723551032402518697086137787486",
                "157853225052774601716563002210587479582",
                "283479763512661529655883225390174471399",
                "107648053937943838360533745631281501443",
                "319312758995114045092221498424842029746",
                "135088448420089307614680804757245164462",
                "212127858969470162981989225298961726232",
                "147026790061957939461555754947880946510"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line",
        "target": {
            "file": "modules/http2/h2_stream.c"
        }
    }
]