HTTP/2 memory leak in nghttp2 codec

Submitted on 19. July 2023 - 9:43 by jomeier.
Last update on 19. July 2023 - 9:59.

IDs:

CVE-2023-35945

Keywords:

nghttp2, envoy, Apache

Description:

Envoy version 1.26.3 fixes a memory leak which was found in the nghttp2 library, which is also used by Apache HTTP Server.

Airlock Gateway and Airlock Microgateway are not affected.

The memory leak can only by triggered by a crafted response from an untrusted upstream service. As upstream servers behind Airlock Gateway and Microgateway are trusted, the vulnerability cannot be exploited.

Resolution:

No action required.

Component:

Airlock

Airlock Vulnerability Status:

Does not affect Airlock

Back-end Vulnerability Status:

No action required

Reference:

[1] HTTP/2 memory leak in nghttp2 codec

[2] Nghttp2 v1.55.1

[3] Envoy 1.26.3

Main menu

Navigation

User menu

You are here

HTTP/2 memory leak in nghttp2 codec

Main menu

Search form

Navigation

User menu

You are here

HTTP/2 memory leak in nghttp2 codec