CVE-2020-11080
- Source
- https://cve.org/CVERecord?id=CVE-2020-11080
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-11080.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2020-11080
- Aliases
- Downstream
- Related
- Published
- 2020-06-03T23:15:11.073Z
- Modified
- 2026-04-16T04:37:15.762855914Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2onframerecvcallback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.
- References
-
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/
- https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AAC2AA36OTRHKSVM5OV7TTVB3CZIGEFL/
- https://lists.debian.org/debian-lts-announce/2021/10/msg00011.html
- https://www.debian.org/security/2020/dsa-4696
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394
- https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090
- https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr
Affected packages
Git / github.com/graalvm/graalvm-ce-builds
Affected ranges
- Type
- GIT
- Repo
- https://github.com/graalvm/graalvm-ce-builds
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "0" }, { "last_affected": "19.3.2" } ] }
- Type
- GIT
- Repo
- https://github.com/mysql/mysql-server
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroducedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroducedLast affected
- Database specific
{ "versions": [ { "introduced": "7.3.0" }, { "last_affected": "7.3.30" }, { "introduced": "7.4.0" }, { "last_affected": "7.4.29" }, { "introduced": "7.5.0" }, { "last_affected": "7.5.19" }, { "introduced": "7.6.0" }, { "last_affected": "7.6.15" }, { "introduced": "8.0.0" }, { "last_affected": "8.0.21" } ] }
- Type
- GIT
- Repo
- https://github.com/nghttp2/nghttp2
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
- Type
- GIT
- Repo
- https://github.com/nodejs/node
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroducedLast affectedIntroducedFixedIntroducedLast affectedIntroducedFixedIntroducedLast affected
- Database specific
{ "versions": [ { "introduced": "0" }, { "last_affected": "9.0" }, { "introduced": "0" }, { "last_affected": "10.0" }, { "introduced": "0" }, { "last_affected": "15.1" }, { "introduced": "0" }, { "last_affected": "14.3.0" }, { "introduced": "0" }, { "last_affected": "14.4.0" }, { "introduced": "0" }, { "last_affected": "3.1.0" }, { "introduced": "0" }, { "last_affected": "3.2.0" }, { "introduced": "0" }, { "last_affected": "20.1.0" }, { "introduced": "10.0.0" }, { "last_affected": "10.12.0" }, { "introduced": "10.13.0" }, { "fixed": "10.21.0" }, { "introduced": "12.0.0" }, { "last_affected": "12.12.0" }, { "introduced": "12.13.0" }, { "fixed": "12.18.0" }, { "introduced": "14.0.0" }, { "last_affected": "14.4.0" } ] }
Affected versions
mysql-3.*
mysql-3.23.22-beta
mysql-3.23.28-gamma
mysql-3.23.30-gamma
mysql-3.23.31
mysql-3.23.32
mysql-3.23.33
mysql-3.23.36
mysql-4.*
mysql-4.0.2
mysql-4.0.4
mysql-5.*
mysql-5.1.4
mysql-5.7-22-ndb-7.6.6
mysql-8.*
mysql-8.0.21
mysql-cluster-7.*
mysql-cluster-7.3.10
mysql-cluster-7.3.11
mysql-cluster-7.3.13
mysql-cluster-7.3.14
mysql-cluster-7.3.21
mysql-cluster-7.3.22
mysql-cluster-7.3.26
mysql-cluster-7.3.28
mysql-cluster-7.3.29
mysql-cluster-7.3.30
mysql-cluster-7.3.9
mysql-cluster-7.4.11
mysql-cluster-7.4.12
mysql-cluster-7.4.2
mysql-cluster-7.4.25
mysql-cluster-7.4.27
mysql-cluster-7.4.28
mysql-cluster-7.4.29
mysql-cluster-7.4.5
mysql-cluster-7.4.6
mysql-cluster-7.4.8
mysql-cluster-7.5.15
mysql-cluster-7.5.19
mysql-cluster-7.5.2
mysql-cluster-7.6.11
mysql-cluster-7.6.15
mysql-cluster-8.*
mysql-cluster-8.0.21
v0.*
v0.0.1
v0.0.2
v0.0.3
v0.0.4
v0.0.6
v0.1.0
v0.1.1
v0.1.10
v0.1.100
v0.1.101
v0.1.102
v0.1.103
v0.1.104
v0.1.11
v0.1.12
v0.1.13
v0.1.14
v0.1.15
v0.1.16
v0.1.17
v0.1.18
v0.1.19
v0.1.2
v0.1.20
v0.1.21
v0.1.22
v0.1.23
v0.1.24
v0.1.25
v0.1.26
v0.1.27
v0.1.28
v0.1.29
v0.1.3
v0.1.30
v0.1.31
v0.1.32
v0.1.33
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.1.9
v0.1.92
v0.1.93
v0.1.94
v0.1.95
v0.1.96
v0.1.97
v0.1.98
v0.1.99
v0.2.0
v0.3.0
v0.3.1
v0.3.2
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.4.0
v0.4.1
v0.5.0
v0.5.1
v0.5.10
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.5-rc1
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.6.4
v0.6.5
v0.6.6
v0.6.7
v0.7.0
v0.7.1
v0.7.10
v0.7.11
v0.7.12
v0.7.13
v0.7.14
v0.7.15
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6
v0.7.7
v0.7.8
v0.7.9
v1.*
v1.0.0
v1.0.1
v1.0.1-release
v1.0.2
v1.0.2-release
v1.0.3
v1.0.4
v1.0.5
v1.1.0
v1.1.1
v1.1.2
v1.10.0
v1.11.0
v1.12.0
v1.13.0
v1.14.0
v1.15.0
v1.16.0
v1.17.0
v1.18.0
v1.19.0
v1.2.0
v1.2.1
v1.20.0
v1.21.0
v1.22.0
v1.23.0
v1.24.0
v1.25.0
v1.26.0
v1.27.0
v1.28.0
v1.29.0
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.30.0
v1.31.0
v1.32.0
v1.33.0
v1.34.0
v1.35.0
v1.36.0
v1.37.0
v1.38.0
v1.39.0
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.40.0
v1.5.0
v1.5.1
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.7.0
v1.7.1
v1.8.0
v1.9.0
v1.9.1
v10.*
v10.0.0
v10.1.0
v10.10.0
v10.11.0
v10.12.0
v10.13.0
v10.14.0
v10.14.1
v10.14.2
v10.15.0
v10.15.1
v10.15.2
v10.15.3
v10.16.0
v10.16.1
v10.16.2
v10.16.3
v10.17.0
v10.18.0
v10.18.1
v10.19.0
v10.2.0
v10.2.1
v10.20.0
v10.20.1
v10.3.0
v10.4.0
v10.4.1
v10.5.0
v10.6.0
v10.7.0
v10.8.0
v10.9.0
v12.*
v12.0.0
v12.1.0
v12.10.0
v12.11.0
v12.11.1
v12.12.0
v12.13.0
v12.13.1
v12.14.0
v12.14.1
v12.15.0
v12.16.0
v12.16.1
v12.16.2
v12.16.3
v12.17.0
v12.2.0
v12.3.0
v12.3.1
v12.4.0
v12.5.0
v12.6.0
v12.7.0
v12.8.0
v12.8.1
v12.9.0
v12.9.1
v14.*
v14.0.0
v14.1.0
v14.2.0
v14.3.0
v14.4.0
v15.*
v15.0.0
v15.0.1
v15.1.0
v2.*
v2.0.0
v2.0.1
v2.0.2
v2.1.0
v2.2.0
v2.2.1
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.4.0
v2.5.0
v20.*
v20.0.0
v20.1.0
v3.*
v3.0.0
v3.1.0
v3.2.0
v9.*
v9.0.0
vm-19.*
vm-19.3.2-pre
Database specific
vanir_signatures_modified
"2026-04-11T15:27:43Z"
vanir_signatures
[
{
"id": "CVE-2020-11080-043c15f6",
"signature_version": "v1",
"source": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090",
"digest": {
"function_hash": "77346755642097303584396383619358398552",
"length": 18563.0
},
"target": {
"file": "tests/main.c",
"function": "main"
},
"signature_type": "Function",
"deprecated": false
},
{
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"130478378985285426395828020745352499798",
"196503942045532253932110626834219947143",
"140220713152922819905257382060130445298"
]
},
"signature_type": "Line",
"source": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090",
"signature_version": "v1",
"target": {
"file": "tests/nghttp2_session_test.c"
},
"id": "CVE-2020-11080-14985976"
},
{
"id": "CVE-2020-11080-29794fd0",
"source": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090",
"digest": {
"threshold": 0.9,
"line_hashes": [
"299481480502669017256817653651965760144",
"192855200294858710714870647090618082678",
"171931255100099914416002534199507749118",
"134596621928972775674961808494563737758"
]
},
"signature_type": "Line",
"target": {
"file": "lib/nghttp2_session.h"
},
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2020-11080-4af6c055",
"source": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090",
"digest": {
"threshold": 0.9,
"line_hashes": [
"280874317114581665292887146495868357102",
"274381237785996237210746435884522152997",
"107451044609814117435435328329148362077",
"265830476977356558353157603069471539683"
]
},
"signature_type": "Line",
"target": {
"file": "tests/nghttp2_session_test.h"
},
"signature_version": "v1",
"deprecated": false
},
{
"target": {
"file": "lib/nghttp2_session.c",
"function": "nghttp2_session_mem_recv"
},
"deprecated": false,
"digest": {
"function_hash": "76320109155165413425003197983052626995",
"length": 25684.0
},
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090",
"id": "CVE-2020-11080-5cb6f3ce"
},
{
"id": "CVE-2020-11080-73357273",
"target": {
"file": "lib/nghttp2_session.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"91080862305138533235158662184188504666",
"55719047791074478376451138928302749691",
"34423416865062340475666727477469394742",
"160694452227622041512789921840087788128",
"125215487250163291681325310929119184725",
"304511006625711842872697081582856130109",
"146521828018515530096198461293603487510",
"77071207928031166158783556068782833928",
"43043000719327973590426123686028805161",
"179003225043518908190906283800628246232",
"105742072403147979607114434011564829201",
"233584587159786120052703451071535283688",
"283651529724345891378773186219206064596",
"14651239339197374400702615701208359594",
"192045365012885780981896872206360096339"
]
},
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090",
"deprecated": false
},
{
"id": "CVE-2020-11080-8621d90d",
"target": {
"file": "lib/nghttp2_option.h"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"63766746716490509158265166290164411355",
"50635060742961895873309443562646461749",
"239135157918357008258296874879627556704",
"262788658577533723179089072256574826527",
"308365296203565026472293299273132062617",
"221121337717265128092329712418842083664",
"103420866999420189564175411823852472381",
"302740726034182105606640494944642389408"
]
},
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090",
"deprecated": false
},
{
"id": "CVE-2020-11080-91463383",
"source": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090",
"digest": {
"function_hash": "161237338488688124648574588901191514607",
"length": 3119.0
},
"signature_type": "Function",
"target": {
"file": "lib/nghttp2_helper.c",
"function": "nghttp2_strerror"
},
"signature_version": "v1",
"deprecated": false
},
{
"target": {
"file": "lib/nghttp2_session.c",
"function": "session_new"
},
"deprecated": false,
"digest": {
"length": 5015.0,
"function_hash": "263822875862045880231887339213735516174"
},
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090",
"id": "CVE-2020-11080-9256b42a"
},
{
"id": "CVE-2020-11080-93a5c7ca",
"signature_version": "v1",
"source": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090",
"digest": {
"threshold": 0.9,
"line_hashes": [
"299600677355295622260323329753137725168",
"207336653490817637956563444167084485017",
"173962859204859183510964537905480471226",
"263987830515868330154101366183012883049",
"43061682448991184130831432058325332900",
"296025395023612671134012733026983718977",
"132824854117467898005988011917814540319",
"42461200801133469667506603652589266889",
"60147014574846046905448290406570903562",
"334292343408006444436679522713366391316"
]
},
"target": {
"file": "lib/includes/nghttp2/nghttp2.h"
},
"signature_type": "Line",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"72648759381140541927944427180807827419",
"86294245556859006400665914123068255423",
"309234068633173169723482597667900608056",
"31192511699064862677426786158272593111"
]
},
"id": "CVE-2020-11080-98628c0b",
"signature_type": "Line",
"source": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090",
"signature_version": "v1",
"target": {
"file": "tests/main.c"
},
"deprecated": false
},
{
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"47185053208666008208030602997273026950",
"192311053182551829065672374186794059354",
"196600914829518509840604020846440765447"
]
},
"signature_type": "Line",
"source": "https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394",
"signature_version": "v1",
"target": {
"file": "lib/nghttp2_session.c"
},
"id": "CVE-2020-11080-9b133b71"
},
{
"id": "CVE-2020-11080-abc2509e",
"source": "https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394",
"digest": {
"function_hash": "272294011727504450056056312260246035417",
"length": 25898.0
},
"signature_type": "Function",
"target": {
"file": "lib/nghttp2_session.c",
"function": "nghttp2_session_mem_recv"
},
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2020-11080-c054b6e7",
"signature_version": "v1",
"source": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090",
"digest": {
"threshold": 0.9,
"line_hashes": [
"158755643856787929620345895606655037940",
"177488015206800958109423790823881861161",
"16463961717879961764121185295358555699",
"318001711588175060333961809437607705430"
]
},
"target": {
"file": "lib/nghttp2_helper.c"
},
"signature_type": "Line",
"deprecated": false
},
{
"id": "CVE-2020-11080-c7806524",
"source": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090",
"digest": {
"function_hash": "232072567350380857623571495123190065086",
"length": 1322.0
},
"signature_type": "Function",
"target": {
"file": "lib/nghttp2_session.c",
"function": "nghttp2_session_upgrade_internal"
},
"signature_version": "v1",
"deprecated": false
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-11080.json"
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "31"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "33"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "21.1.2"
}
]
}
]