{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/885548#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nA denial-of-service (DoS) vulnerability exists in some HTTP/2 server implementations that fail to adequately limit resource consumption when buffering response data under stalled flow-control conditions. A remote, unauthenticated attacker can trigger memory exhaustion and service interruption by using standard flow-control parameters such as `SETTINGS_INITIAL_WINDOW_SIZE = 0` to stall outbound data for multiple simultaneous request streams.\r\n\r\n### Description\r\nHTTP/2 is a widely used application-layer protocol that supports multiplexing, header compression, and flow-control mechanisms to regulate the transmission of data between web browsers and servers. Flow control is designed to prevent senders from overwhelming receivers and relies on client-advertised window sizes to determine the maximum volume of unacknowledged data that can be in transit at any given time. \r\n\r\nA client can intentionally stall outbound flow control by withholding `WINDOW_UPDATE` frames or by advertising `SETTINGS_INITIAL_WINDOW_SIZE = 0`. In some HTTP/2 implementations, the server continues processing requests and generating complete response bodies even though it is unable to transmit them. The resulting response data remains buffered in memory, and each stalled stream retains its allocated buffer until the connection closes or a timeout occurs.\r\n\r\nAn attacker can exploit this behavior by opening many simultaneous streams and requesting large resources, causing the server to accumulate large amounts of buffered response data. In environments with permissive resource limits, this can lead to excessive memory consumption, swap exhaustion, service instability, and, in severe cases, system crashes. Even under more conservative limits, the attack can exhaust worker or connection resources and degrade service availability.\r\n\r\n### Impact\r\nA remote, unauthenticated attacker can cause denial-of-service conditions on affected HTTP/2 server implementations. Under high resource limits, an attacker may be able to induce unbounded memory amplification resulting in OOM kills, severe swap thrashing, or full system unresponsiveness. Under default or lower limits, the attack can exhaust available connections or worker resources, temporarily preventing new clients from establishing sessions and degrading overall service availability.\r\n\r\n### Solution\r\nSeveral vendors have addressed this vulnerability in recent updates; see the **Vendor Information** section for individual CVEs and remediation details. Implementations that enforce memory ceilings, restrict concurrent stream counts, and actively terminate stalled connections can substantially reduce the risk of denial-of-service conditions.\r\n\r\n### Acknowledgements\r\nThanks to the Okta Red Team for researching and reporting this vulnerability. This document was written by Molly Jaconski.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"The HTTP/2 specification is not the right target for this disclosure.\r\n\r\nThis is not the first time that vulnerability disclosures have been opened on this specification. Thus far, no vulnerability has applied to the specification. Then, as now, the problem is with implementations.\r\n\r\nWhen writing standards, the goal is to facilitate secure interoperation between two parties. If a competent team of engineers can achieve that goal by following the specification, then the specification is good.\r\n\r\nThe responsibility lies with the engineers building implementations, not the specification. If an engineer builds an implementation with a buffer overflow, that is on them, not the specification. Likewise, if there is a denial of service issue, that's on the engineers and the implementation, not the spec.\r\n\r\nFor this case, RFC 9113 does make some attempt to provide implementers some help in dealing with denial of service, but it is very clear that it cannot provide comprehensive instructions. It does seem like this is common enough bug that it would be worth adding to the advice if we had an opportunity to revise the RFC. \r\n\r\nThe right thing to do here is to open disclosures on affected implementations.","title":"Vendor statment from IETF HTTP Working Group"},{"category":"other","text":"The vulnerability impacts NetScaler ADC and NetScaler Gateway when HTTP/2 is enabled in the HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler. \r\n\r\nCustomers are recommended to install the relevant updated versions as soon as possible - \r\n* NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases\r\n* NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1\r\n* NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS\r\n* NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP\r\n\r\nAfter the upgrade, configure the Http2SmallWndTimeout parameter, which controls the timeout (in seconds) for HTTP/2 small‑window stalled streams.\r\n* For appliances using HTTP Strict Profiles, this parameter defaults to 30 seconds, and the fix is effective immediately after the upgrade.  If you are already using HTTP Strict Profiles then you do not need to take any additional action. Only upgrade to the fixed builds will remediate the vulnerability.\r\n* For appliances NOT using HTTP Strict Profiles, the default value is 0, and in that case, merely upgrading to the builds containing the fix WILL NOT address the vulnerability completely. In this case, customers must manually set Http2SmallWndTimeout to 30 seconds.\r\n\r\nPlease note that Http2SmallWndTimeout is a new parameter and is only available in the firmware builds that contain the fix.\r\n\r\n**Configuration command:**\r\nset ns httpProfile <profile_name> -http2SmallWndTimeout <value_in_seconds>","title":"Vendor statment from Citrix"},{"category":"other","text":"The X.Org Foundation does not produce nor ship any HTTP/2 implementations.","title":"Vendor statment from X.org Foundation"},{"category":"other","text":"No HTTP/2 implementations are shipped with eCosPro RTOS","title":"Vendor statment from eCosCentric"},{"category":"other","text":"Not impacted","title":"Vendor statment from AMD"},{"category":"other","text":"None of tested BIND versions are vulnerable. Even in the worst case of artificial 64k DNS responses and 100 concurrent queries per connection (default limit), peak memory usage is about 1.6 MB per HTTP/2+TLS connection. Inactive connections are closed by timer after 30 seconds (default limit).\r\n\r\nTested on:\r\n- bind-9.18 commit 0a84d255\r\n- bind-9.20 commit 93cfd196\r\n- main commit d12d3b2c","title":"Vendor statment from Internet Systems Consortium"},{"category":"other","text":"This vulnerability depends on the buffer size for upstream data being set to SIZE_MAX. The Fastly implementation of h2o's max buffer size for upstream data is set to a small number (instead of the default unlimited size), then Fastly is not vulnerable.","title":"Vendor statment from Fastly"},{"category":"other","text":"This attack relates to Data Dribble (CVE-2019-9511) and our CI verifies that Tempesta FW blocks clients producing many HTTP/2 slow streams requesting large resources.","title":"Vendor statment from Tempesta"},{"category":"other","text":"CVE-2026-44909","title":"CERT/CC comment on Meta notes"},{"category":"other","text":"We are shipping apache2 and nginx and other http/2 implementations and will implement guidance or fixes as suggested by upstream.","title":"Vendor statment from SUSE Linux"},{"category":"other","text":"CVE-2026-59173","title":"CERT/CC comment on Apache Traffic Server Project notes"},{"category":"other","text":"We were unable to reproduce the impact the researcher described using the POC.\r\n\r\nIt appears this attack does not pose a significant impact or only poses an impact in a small selection of use cases.","title":"Vendor statment from GitHub"},{"category":"other","text":"Apache Traffic Server's HTTP/2 stream limit (proxy.config.http2.max_active_streams_in) was advisory only, so a remote client could open concurrent streams faster than the throttle took effect and exhaust proxy memory, causing a denial of service. Fixed in 9.2.14 and 10.1.3 by hard-enforcing the limit with HTTP/2 REFUSED_STREAM. CVE-2026-59173","title":"Vendor statment from Yahoo Inc."}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/885548"},{"url":"https://datatracker.ietf.org/doc/rfc9113/","summary":"https://datatracker.ietf.org/doc/rfc9113/"},{"url":"https://my.f5.com/manage/s/article/K000162231","summary":"https://my.f5.com/manage/s/article/K000162231"},{"url":"https://gitlab.isc.org/isc-projects/bind9/-/issues/5948","summary":"Reference(s) from vendor \"Internet Systems Consortium\""},{"url":"https://my.f5.com/manage/s/article/K000162231","summary":"Reference(s) from vendor \"F5 Networks\""}],"title":"Denial-of-service vulnerability in HTTP/2 servers via stalled flow-control conditions","tracking":{"current_release_date":"2026-07-16T20:18:44+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.43"}},"id":"VU#885548","initial_release_date":"2026-07-16 18:00:58.181136+00:00","revision_history":[{"date":"2026-07-16T20:18:44+00:00","number":"1.20260716201844.6","summary":"Released on 2026-07-16T20:18:44+00:00"}],"status":"final","version":"1.20260716201844.6"}},"vulnerabilities":[{"title":"A denial‑of‑service vulnerability in the HTTP/2 flow‑control mechanism allows a remote, unauthenticated attacker to exhaust server memory by advertising SETTINGS_INITIAL_WINDOW_SIZE=0, preventing servers from transmitting response data while accumulating response payloads in server RAM.","notes":[{"category":"summary","text":"A denial‑of‑service vulnerability in the HTTP/2 flow‑control mechanism allows a remote, unauthenticated attacker to exhaust server memory by advertising SETTINGS_INITIAL_WINDOW_SIZE=0, preventing servers from transmitting response data while accumulating response payloads in server RAM. By opening multiple streams requesting large resources and holding connections open with keepalive pings, an attacker can trigger massive memory amplification and eventual server or kernel crash when the connections are dropped.\r\n\r\nSee individual vendor CVE IDs for specific details."}],"cve":"CVE-2026-44909","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#885548"}]},{"title":"When an HTTP/2 profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization.","notes":[{"category":"summary","text":"When an HTTP/2 profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization.   Impact: System performance can degrade until the TMM process is either forced to restart or is manually restarted. This vulnerability allows a remote, unauthenticated attacker to cause a degradation of service that can lead to a denial-of-service (DoS) on the BIG-IP system. There is no control plane exposure; this is a data plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}],"cve":"CVE-2026-59762","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#885548"}]},{"title":"A denial‑of‑service vulnerability in the HTTP/2 flow‑control mechanism allows a remote, unauthenticated attacker to exhaust server memory by advertising SETTINGS_INITIAL_WINDOW_SIZE=0, preventing servers from transmitting response data while accumulating response payloads in server RAM.","notes":[{"category":"summary","text":"A denial‑of‑service vulnerability in the HTTP/2 flow‑control mechanism allows a remote, unauthenticated attacker to exhaust server memory by advertising SETTINGS_INITIAL_WINDOW_SIZE=0, preventing servers from transmitting response data while accumulating response payloads in server RAM. By opening multiple streams requesting large resources and holding connections open with keepalive pings, an attacker can trigger massive memory amplification and eventual server or kernel crash when the connections are dropped.\r\n\r\nSee individual vendor CVE IDs for specific details."}],"cve":"CVE-2026-59173","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#885548"}],"product_status":{"known_affected":["CSAFPID-e3fba7f4-815a-11f1-8a12-0affffeb3875","CSAFPID-e3fbce5a-815a-11f1-8a12-0affffeb3875","CSAFPID-e3fc249a-815a-11f1-8a12-0affffeb3875","CSAFPID-e3fc9fba-815a-11f1-8a12-0affffeb3875","CSAFPID-e3fcef1a-815a-11f1-8a12-0affffeb3875","CSAFPID-e3fd1846-815a-11f1-8a12-0affffeb3875","CSAFPID-e3fd6a3a-815a-11f1-8a12-0affffeb3875"],"known_not_affected":["CSAFPID-e3f8d682-815a-11f1-8a12-0affffeb3875","CSAFPID-e3f90378-815a-11f1-8a12-0affffeb3875","CSAFPID-e3f92e98-815a-11f1-8a12-0affffeb3875","CSAFPID-e3f957e2-815a-11f1-8a12-0affffeb3875","CSAFPID-e3f9860e-815a-11f1-8a12-0affffeb3875","CSAFPID-e3f9ae72-815a-11f1-8a12-0affffeb3875","CSAFPID-e3f9d67c-815a-11f1-8a12-0affffeb3875","CSAFPID-e3fa05c0-815a-11f1-8a12-0affffeb3875","CSAFPID-e3fa2fa0-815a-11f1-8a12-0affffeb3875","CSAFPID-e3fa5a70-815a-11f1-8a12-0affffeb3875","CSAFPID-e3fa8392-815a-11f1-8a12-0affffeb3875","CSAFPID-e3faab42-815a-11f1-8a12-0affffeb3875","CSAFPID-e3fad78e-815a-11f1-8a12-0affffeb3875","CSAFPID-e3fb0268-815a-11f1-8a12-0affffeb3875","CSAFPID-e3fb2b26-815a-11f1-8a12-0affffeb3875","CSAFPID-e3fb5876-815a-11f1-8a12-0affffeb3875","CSAFPID-e3fb8012-815a-11f1-8a12-0affffeb3875","CSAFPID-e3fbfaf6-815a-11f1-8a12-0affffeb3875","CSAFPID-e3fc4eca-815a-11f1-8a12-0affffeb3875","CSAFPID-e3fc7648-815a-11f1-8a12-0affffeb3875","CSAFPID-e3fcc800-815a-11f1-8a12-0affffeb3875","CSAFPID-e3fd4078-815a-11f1-8a12-0affffeb3875"]}}],"product_tree":{"branches":[{"category":"vendor","name":"AMD","product":{"name":"AMD Products","product_id":"CSAFPID-e3f8d682-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"IETF HTTP Working Group","product":{"name":"IETF HTTP Working Group Products","product_id":"CSAFPID-e3f90378-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"X.org Foundation","product":{"name":"X.org Foundation Products","product_id":"CSAFPID-e3f92e98-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"nghttp2","product":{"name":"nghttp2 Products","product_id":"CSAFPID-e3f957e2-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"eCosCentric","product":{"name":"eCosCentric Products","product_id":"CSAFPID-e3f9860e-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"Paessler","product":{"name":"Paessler Products","product_id":"CSAFPID-e3f9ae72-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"HAProxy","product":{"name":"HAProxy Products","product_id":"CSAFPID-e3f9d67c-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"Go Programming Language","product":{"name":"Go Programming Language Products","product_id":"CSAFPID-e3fa05c0-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"Internet Systems Consortium","product":{"name":"Internet Systems Consortium Products","product_id":"CSAFPID-e3fa2fa0-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"Fastly","product":{"name":"Fastly Products","product_id":"CSAFPID-e3fa5a70-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"LiteSpeed Technologies","product":{"name":"LiteSpeed Technologies Products","product_id":"CSAFPID-e3fa8392-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"netsnmp","product":{"name":"netsnmp Products","product_id":"CSAFPID-e3faab42-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"Tempesta","product":{"name":"Tempesta Products","product_id":"CSAFPID-e3fad78e-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"lighttpd","product":{"name":"lighttpd Products","product_id":"CSAFPID-e3fb0268-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"gRPC","product":{"name":"gRPC Products","product_id":"CSAFPID-e3fb2b26-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"hyperium","product":{"name":"hyperium Products","product_id":"CSAFPID-e3fb5876-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"Softvelum","product":{"name":"Softvelum Products","product_id":"CSAFPID-e3fb8012-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"Meta","product":{"name":"Meta Products","product_id":"CSAFPID-e3fba7f4-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"SUSE Linux","product":{"name":"SUSE Linux Products","product_id":"CSAFPID-e3fbce5a-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"LANCOM Systems GmbH","product":{"name":"LANCOM Systems GmbH Products","product_id":"CSAFPID-e3fbfaf6-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"Apache Traffic Server Project","product":{"name":"Apache Traffic Server Project Products","product_id":"CSAFPID-e3fc249a-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"Cloudflare","product":{"name":"Cloudflare Products","product_id":"CSAFPID-e3fc4eca-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"GNU wget","product":{"name":"GNU wget Products","product_id":"CSAFPID-e3fc7648-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"F5 Networks","product":{"name":"F5 Networks Products","product_id":"CSAFPID-e3fc9fba-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"GitHub","product":{"name":"GitHub Products","product_id":"CSAFPID-e3fcc800-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"Yahoo Inc.","product":{"name":"Yahoo Inc. Products","product_id":"CSAFPID-e3fcef1a-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-e3fd1846-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"Eclipse Foundation","product":{"name":"Eclipse Foundation Products","product_id":"CSAFPID-e3fd4078-815a-11f1-8a12-0affffeb3875"}},{"category":"vendor","name":"Citrix","product":{"name":"Citrix Products","product_id":"CSAFPID-e3fd6a3a-815a-11f1-8a12-0affffeb3875"}}]}}