CVE-2024-28182: Reading unbounded number of HTTP/2 CONTINUATION frames to cause excessive CPU usage

Published Mar 8, 2024
·
Updated

Last updated 24 July 2024

Affected Software

28 affected componentsFixes available
debian/nghttp2<=1.43.0-1+deb11u1, <=1.52.0-1+deb12u1
1.43.0-1+deb11u21.52.0-1+deb12u21.64.0-1.1
redhat/nghttp2<1.61.0
1.61.0
nghttp2 nghttp2<1.61.0
Debian Debian Linux=10.0
Debian Debian Linux=11.0
Fedoraproject Fedora=38
Fedoraproject Fedora=39
Fedoraproject Fedora=40
IBM DS8A00( R10.0 - R10.1 )<=10.1.3.0 - 10.10.106.0
IBM DS8900F ( R9.4)<=89.40.83.0-89.44.5.0
Microsoft cbl2 nghttp2 1.57.0-2
Patch available
Microsoft azl3 nodejs 20.10.0-2
Patch available
Microsoft azl3 nghttp2 1.59.0-1
Patch available
Microsoft cbl2 nodejs18 18.20.2-2
Patch available
Microsoft azl3 rust 1.75.0-1
Patch available
Microsoft azl3 cmake 3.30.3-6
Patch available
Microsoft cbl2 cmake 3.21.4-17
Patch available
Microsoft azl3 fluent-bit 3.1.9-4
Patch available
Microsoft cbl2 fluent-bit 3.0.6-2
Patch available
Microsoft azl3 nodejs 20.14.0-1
Patch available
Microsoft azl3 cmake 3.29.6-1
Patch available
Microsoft azl3 nghttp2 1.61.0-1
Patch available
Microsoft cbl2 nodejs18 18.20.2-2
Patch available
Microsoft cbl2 cmake 3.21.4-14
Patch available
Microsoft cbl2 cmake 3.21.4-17
Patch available
Microsoft cbl2 fluent-bit 3.0.6-1
Patch available
Microsoft cbl2 nodejs18 18.20.3-1
Patch available
Microsoft cbl2 rust 1.68.0-1
Patch available

Remediation

Patch Available

https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0

Patch Available

https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9

Event History

Apr 4, 2024
CVE Published
via MITRE·02:41 PM
Data Sourced
via MITRE·02:41 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·03:15 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·03:15 PM
RemedyAffected Software
May 31, 2024
Data Sourced
via Launchpad·11:42 PM
Description
Jun 30, 2024
Data Sourced
via Microsoft·02:00 PM
DescriptionSeverityWeakness
Data Sourced
via Microsoft·02:00 PM
Affected Software
Updated
via Microsoft·02:00 PM
DescriptionSeverity
Updated
via Microsoft·02:00 PM
Description
Sep 16, 2024
Data Sourced
via Ubuntu·11:58 PM
RemedyDescriptionSeverityAffected Software
Dec 18, 2025
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-28182?

CVE-2024-28182 has been classified as a moderate severity vulnerability due to its potential impact on application performance.

2

How do I fix CVE-2024-28182?

To fix CVE-2024-28182, you should upgrade nghttp2 to version 1.61.0 or later.

3

What software is affected by CVE-2024-28182?

The nghttp2 library versions prior to 1.61.0 are affected by CVE-2024-28182.

4

What is the nature of the issue described in CVE-2024-28182?

CVE-2024-28182 involves an unbounded reading of HTTP/2 CONTINUATION frames which can lead to unnecessary memory usage.

5

What can happen if CVE-2024-28182 is exploited?

Exploitation of CVE-2024-28182 can result in performance degradation due to excessive memory consumption.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203