CVE-2024-28182

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/28xxx/CVE-2024-28182.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-770"
    ]
}

References

Affected packages

Git / github.com/nghttp2/nghttp2

Affected ranges

Type

GIT

Repo

https://github.com/nghttp2/nghttp2

Events

Introduced

Fixed

d76b8331d16200df3d969d94438a96495ffbe42b

Fixed

00201ecd8f982da3b67d4f6868af72a1b03b14e0

Fixed

d71a4668c6bead55805d18810d633fbb98315af9

Database specific

{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.61.0"
        }
    ],
    "cpe": "cpe:2.3:a:nghttp2:nghttp2:*:*:*:*:*:*:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

v0.*

v0.2.0

v0.3.0

v0.3.1

v0.4.0

v0.4.1

v0.5.0

v0.5.1

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.6.4

v0.6.5

v0.6.6

v0.6.7

v0.7.0

v0.7.1

v0.7.10

v0.7.11

v0.7.12

v0.7.13

v0.7.14

v0.7.15

v0.7.2

v0.7.3

v0.7.4

v0.7.5

v0.7.6

v0.7.7

v0.7.8

v0.7.9

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.1.0

v1.1.1

v1.1.2

v1.10.0

v1.11.0

v1.12.0

v1.13.0

v1.14.0

v1.15.0

v1.16.0

v1.17.0

v1.18.0

v1.19.0

v1.2.0

v1.2.1

v1.20.0

v1.21.0

v1.22.0

v1.23.0

v1.24.0

v1.25.0

v1.26.0

v1.27.0

v1.28.0

v1.29.0

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.30.0

v1.31.0

v1.32.0

v1.33.0

v1.34.0

v1.35.0

v1.36.0

v1.37.0

v1.38.0

v1.39.0

v1.4.0

v1.40.0

v1.41.0

v1.42.0

v1.43.0

v1.44.0

v1.45.0

v1.46.0

v1.47.0

v1.48.0

v1.49.0

v1.5.0

v1.50.0

v1.51.0

v1.52.0

v1.53.0

v1.54.0

v1.55.0

v1.56.0

v1.57.0

v1.58.0

v1.59.0

v1.6.0

v1.60.0

v1.7.0

v1.8.0

v1.9.0

v1.9.1

Database specific

vanir_signatures_modified

"2026-06-16T02:14:25Z"

vanir_signatures

[
    {
        "digest": {
            "line_hashes": [
                "168416563576190347408713241978336909463",
                "105745070991987012142728504826722163928",
                "210045656255359480426491036454890754216",
                "182117628044521304124954506324383395004",
                "42570277537144117251232856936909939939",
                "64975666185196201045112099564033956892",
                "271210678605979927435771064555308419524"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "id": "CVE-2024-28182-06276930",
        "signature_type": "Line",
        "deprecated": false,
        "target": {
            "file": "lib/nghttp2_session.h"
        },
        "source": "https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0"
    },
    {
        "digest": {
            "line_hashes": [
                "45310035522936433301363521141127259870",
                "15480211169677363032542398854259055915",
                "185566811840970922285530967417650931151",
                "249808213665340442941275941815580125418",
                "105787306871381089957766610171564903994",
                "116903801119350570950032397955069123636",
                "100901886405521681434148391180217479535",
                "132973454053868903628150006430808797623"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "id": "CVE-2024-28182-08b9f33e",
        "signature_type": "Line",
        "deprecated": false,
        "target": {
            "file": "lib/nghttp2_option.h"
        },
        "source": "https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9"
    },
    {
        "digest": {
            "function_hash": "277377678866018232605278761261395556339",
            "length": 27438.0
        },
        "signature_version": "v1",
        "id": "CVE-2024-28182-1b594dc2",
        "signature_type": "Function",
        "deprecated": false,
        "target": {
            "file": "lib/nghttp2_session.c",
            "function": "nghttp2_session_mem_recv2"
        },
        "source": "https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0"
    },
    {
        "digest": {
            "function_hash": "185793910357562898773047223171943655645",
            "length": 6183.0
        },
        "signature_version": "v1",
        "id": "CVE-2024-28182-3b1128f7",
        "signature_type": "Function",
        "deprecated": false,
        "target": {
            "file": "lib/nghttp2_session.c",
            "function": "session_new"
        },
        "source": "https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9"
    },
    {
        "digest": {
            "line_hashes": [
                "62934841579446218291310397647181859937",
                "198310210882851722095017007230154127159",
                "66281390626786731072606088864116774716",
                "77071207928031166158783556068782833928"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "id": "CVE-2024-28182-3c6722d3",
        "signature_type": "Line",
        "deprecated": false,
        "target": {
            "file": "lib/nghttp2_session.c"
        },
        "source": "https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9"
    },
    {
        "digest": {
            "line_hashes": [
                "74239153192932919673058296155399667044",
                "25645480181004914542417771660506898785",
                "167027884194542307147716645224143680404",
                "52565796836102647758594797720601275993",
                "184250355424449375404011615813589273871",
                "33575398907079311815942647898791112560",
                "212419227813462998438868087916798159532",
                "120004842395366115637624773045995342953",
                "100265471669511872002174691824280780718",
                "222527491541499849599219319732743700968",
                "261039132491513982766691254601259755489"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "id": "CVE-2024-28182-6aee20fb",
        "signature_type": "Line",
        "deprecated": false,
        "target": {
            "file": "lib/nghttp2_session.c"
        },
        "source": "https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0"
    },
    {
        "digest": {
            "function_hash": "265277463269901768871363643440463795991",
            "length": 6112.0
        },
        "signature_version": "v1",
        "id": "CVE-2024-28182-8f4f22ab",
        "signature_type": "Function",
        "deprecated": false,
        "target": {
            "file": "lib/nghttp2_session.c",
            "function": "session_new"
        },
        "source": "https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0"
    },
    {
        "digest": {
            "line_hashes": [
                "321095213924837251945518793819795712308",
                "45751897705775381834533152983753160435",
                "338380929782320037738470125326777673843"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "id": "CVE-2024-28182-ca6adfa6",
        "signature_type": "Line",
        "deprecated": false,
        "target": {
            "file": "lib/includes/nghttp2/nghttp2.h"
        },
        "source": "https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9"
    },
    {
        "digest": {
            "function_hash": "220166590879525729467479264486194269073",
            "length": 3230.0
        },
        "signature_version": "v1",
        "id": "CVE-2024-28182-ec0ebb72",
        "signature_type": "Function",
        "deprecated": false,
        "target": {
            "file": "lib/nghttp2_helper.c",
            "function": "nghttp2_strerror"
        },
        "source": "https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0"
    },
    {
        "digest": {
            "line_hashes": [
                "105990474738462789621800357164324771296",
                "329256794827871196652671364414674389722",
                "73597585812767531931530952450263453037",
                "190122327470319867538967522868158070439"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "id": "CVE-2024-28182-ee5b9193",
        "signature_type": "Line",
        "deprecated": false,
        "target": {
            "file": "lib/nghttp2_helper.c"
        },
        "source": "https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0"
    },
    {
        "digest": {
            "line_hashes": [
                "15094264943449310412926177594570369719",
                "92239534102572802314686247865166681236",
                "189363486363542994076907577273592157321",
                "289279146741278262746505326032312713603"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "id": "CVE-2024-28182-f9fd8e93",
        "signature_type": "Line",
        "deprecated": false,
        "target": {
            "file": "lib/includes/nghttp2/nghttp2.h"
        },
        "source": "https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0"
    }
]

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-28182.json"