GHSA-f8vr-r385-rh5r

Source

https://github.com/advisories/GHSA-f8vr-r385-rh5r

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-f8vr-r385-rh5r/GHSA-f8vr-r385-rh5r.json

Aliases

• CVE-2023-26964
• RUSTSEC-2023-0034

Published

2023-04-11T15:30:30Z

Modified

2023-11-08T04:12:03.011700Z

Details

Hyper is an HTTP library for Rust and h2 is an HTTP 2.0 client & server implementation for Rust. An issue was discovered in h2 v0.2.4 when processing header frames. It incorrectly processes the HTTP2 RST_STREAM frames by not always releasing the memory immediately upon receiving the reset frame, leading to stream stacking. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).

This issue affects users only when dealing with http2 connections.

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-26964
• https://github.com/hyperium/h2/issues/621
• https://github.com/hyperium/hyper/issues/2877
• https://github.com/hyperium/h2/pull/668
• https://github.com/hyperium/hyper
• https://rustsec.org/advisories/RUSTSEC-2023-0034.html