{"vuid":"VU#885548","idnumber":"885548","name":"Denial-of-service vulnerability in HTTP/2 servers via stalled flow-control conditions","keywords":null,"overview":"### Overview\r\nA denial-of-service (DoS) vulnerability exists in some HTTP/2 server implementations that fail to adequately limit resource consumption when buffering response data under stalled flow-control conditions. A remote, unauthenticated attacker can trigger memory exhaustion and service interruption by using standard flow-control parameters such as `SETTINGS_INITIAL_WINDOW_SIZE = 0` to stall outbound data for multiple simultaneous request streams.\r\n\r\n### Description\r\nHTTP/2 is a widely used application-layer protocol that supports multiplexing, header compression, and flow-control mechanisms to regulate the transmission of data between web browsers and servers. Flow control is designed to prevent senders from overwhelming receivers and relies on client-advertised window sizes to determine the maximum volume of unacknowledged data that can be in transit at any given time. \r\n\r\nA client can intentionally stall outbound flow control by withholding `WINDOW_UPDATE` frames or by advertising `SETTINGS_INITIAL_WINDOW_SIZE = 0`. In some HTTP/2 implementations, the server continues processing requests and generating complete response bodies even though it is unable to transmit them. The resulting response data remains buffered in memory, and each stalled stream retains its allocated buffer until the connection closes or a timeout occurs.\r\n\r\nAn attacker can exploit this behavior by opening many simultaneous streams and requesting large resources, causing the server to accumulate large amounts of buffered response data. In environments with permissive resource limits, this can lead to excessive memory consumption, swap exhaustion, service instability, and, in severe cases, system crashes. Even under more conservative limits, the attack can exhaust worker or connection resources and degrade service availability.\r\n\r\n### Impact\r\nA remote, unauthenticated attacker can cause denial-of-service conditions on affected HTTP/2 server implementations. Under high resource limits, an attacker may be able to induce unbounded memory amplification resulting in OOM kills, severe swap thrashing, or full system unresponsiveness. Under default or lower limits, the attack can exhaust available connections or worker resources, temporarily preventing new clients from establishing sessions and degrading overall service availability.\r\n\r\n### Solution\r\nSeveral vendors have addressed this vulnerability in recent updates; see the **Vendor Information** section for individual CVEs and remediation details. Implementations that enforce memory ceilings, restrict concurrent stream counts, and actively terminate stalled connections can substantially reduce the risk of denial-of-service conditions.\r\n\r\n### Acknowledgements\r\nThanks to the Okta Red Team for researching and reporting this vulnerability. This document was written by Molly Jaconski.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://datatracker.ietf.org/doc/rfc9113/","https://my.f5.com/manage/s/article/K000162231"],"cveids":["CVE-2026-59762","CVE-2026-44909","CVE-2026-59173"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2026-07-16T18:00:59.037230Z","publicdate":"2026-07-16T18:00:58.181136Z","datefirstpublished":"2026-07-16T18:00:59.046427Z","dateupdated":"2026-07-16T20:18:44.123232Z","revision":6,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":220}