GO-2026-4958
- Source
- https://pkg.go.dev/vuln/GO-2026-4958
- Import Source
- https://vuln.go.dev/ID/GO-2026-4958.json
- JSON Data
- https://api.osv.dev/v1/vulns/GO-2026-4958
- Aliases
-
- CVE-2026-35469
- GHSA-pc3f-x583-g7j2
- Related
- Published
- 2026-05-26T22:49:05Z
- Modified
- 2026-05-27T14:44:15.790339428Z
- Summary
- Uncontrolled resource consumption when parsing SPDY frames in github.com/moby/spdystream
- Details
-
The SPDY/3 frame parser in spdystream does not validate attacker-controlled counts and lengths before allocating memory. A remote peer that can send SPDY frames to a service using spdystream can cause the process to allocate gigabytes of memory with a small number of malformed control frames, leading to an out-of-memory crash.
Three allocation paths in the receive side are affected: 1. SETTINGS entry count: The SETTINGS frame reader reads a 32-bit numSettings from the payload and allocates a slice of that size without checking it against the declared frame length. 2. Header count: parseHeaderValueBlock reads a 32-bit numHeaders from the decompressed header block and allocates an http.Header map of that size with no upper bound. 3. Header field size: Individual header name and value lengths are read as 32-bit integers and used directly as allocation sizes with no validation.
Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into attacker-controlled bytes that the parser interprets as 32-bit counts and lengths. A single crafted frame is enough to exhaust process memory.
- Database specific
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2026-4958" }- References
- Credits
-
-
- Samuel Karp
-
Affected packages
Go / github.com/moby/spdystream
Package
- Name
- github.com/moby/spdystream
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/moby/spdystream
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.5.1