CVE-2016-8740

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2016-8740
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-8740.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2016-8740
Downstream
Related
Published
2016-12-05T19:59:00Z
Modified
2025-08-09T20:01:25Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in an HTTP/2 request.

References

Affected packages

Git / github.com/apache/httpd

Affected ranges

Type
GIT
Repo
https://github.com/apache/httpd
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
29c63b786ae028d82405421585e91283c8fa0da3

Database specific 

{
    "vanir_signatures": [
        {
            "id": "CVE-2016-8740-0be1a6b6",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "244481023149475990456424850895476734125",
                    "168040519394189920969892210167506517800",
                    "139431050514121276237459091241647733530",
                    "284714966141694497850569737308043946749",
                    "154048304374484397059762233995036391183",
                    "219737829885307372509143401869068772761",
                    "290554099235531278015707942428858454509",
                    "169703350810207944164328355273129720536"
                ]
            },
            "signature_type": "Line",
            "deprecated": false,
            "target": {
                "file": "modules/http2/h2_session.c"
            },
            "signature_version": "v1",
            "source": "https://github.com/apache/httpd/commit/29c63b786ae028d82405421585e91283c8fa0da3"
        },
        {
            "id": "CVE-2016-8740-10cf6e18",
            "digest": {
                "length": 1540.0,
                "function_hash": "101208191567229092215005179581469079528"
            },
            "signature_type": "Function",
            "deprecated": false,
            "target": {
                "file": "modules/http2/h2_stream.c",
                "function": "h2_stream_add_header"
            },
            "signature_version": "v1",
            "source": "https://github.com/apache/httpd/commit/29c63b786ae028d82405421585e91283c8fa0da3"
        },
        {
            "id": "CVE-2016-8740-37cc2b20",
            "digest": {
                "length": 746.0,
                "function_hash": "35133289215646842858268275242346878128"
            },
            "signature_type": "Function",
            "deprecated": false,
            "target": {
                "file": "modules/http2/h2_session.c",
                "function": "on_header_cb"
            },
            "signature_version": "v1",
            "source": "https://github.com/apache/httpd/commit/29c63b786ae028d82405421585e91283c8fa0da3"
        },
        {
            "id": "CVE-2016-8740-8892a9f9",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "330812928712923097647431169060852349694",
                    "97962330718371112716733895949993495762",
                    "161288343024700098132977802419383077435",
                    "292267065053052929177953934748603888727",
                    "36057126629300946047816038563126389476",
                    "89957812090240971340612567678165689731",
                    "146205415267399968769228124982979820038",
                    "306884228181902485425325017978175973343",
                    "32905650322731696362541229059889047789",
                    "16379505148143251773312657069267948909",
                    "10851256074961049183059790553469473188",
                    "247713302117673057198521258381099537497",
                    "65748729280087126396730872948384230666",
                    "35988379571957043779869214937787771388",
                    "35513896102442032076111771610559934690",
                    "183361426703405195366100702376465548034",
                    "122740754188583041226320097802970122663",
                    "162023900025323705511919602298398980073",
                    "50951168893058211790274303055653784378",
                    "209968976316518048543613380668427410444",
                    "175176200539830981198336514731950225010",
                    "258029099397505074905860117525472594082",
                    "264116288663167832946635420571092014093",
                    "99838132887637535165142863012539037225",
                    "270406471116269501362211289259122509978",
                    "257597789389724016888757316377339413716",
                    "307873686065405842762111767971874098810",
                    "317363423084286711502866716741772912823",
                    "240434244231299267486927785493765036916",
                    "88216972723551032402518697086137787486",
                    "157853225052774601716563002210587479582",
                    "283479763512661529655883225390174471399",
                    "107648053937943838360533745631281501443",
                    "319312758995114045092221498424842029746",
                    "135088448420089307614680804757245164462",
                    "212127858969470162981989225298961726232",
                    "147026790061957939461555754947880946510"
                ]
            },
            "signature_type": "Line",
            "deprecated": false,
            "target": {
                "file": "modules/http2/h2_stream.c"
            },
            "signature_version": "v1",
            "source": "https://github.com/apache/httpd/commit/29c63b786ae028d82405421585e91283c8fa0da3"
        }
    ]
}