1. Home
  2. CVE Database
  3. CVE-2022-41717
MEDIUM · 5.3

CVE-2022-41717

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entr...

Vulnerability Description

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
LOW

Affected Products

VendorProductVersions
GolangGo< 1.18.9
GolangHttp2< 0.4.0
FedoraprojectFedora37

Related Weaknesses (CWE)

CWE-770

References

FAQ

What is CVE-2022-41717?

CVE-2022-41717 is a vulnerability with a CVSS score of 5.3 (MEDIUM). An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entr...

How severe is CVE-2022-41717?

CVE-2022-41717 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-41717?

Check the references section above for vendor advisories and patch information. Affected products include: Golang Go, Golang Http2, Fedoraproject Fedora.