Medium severity5.3NVD Advisory· Published Sep 6, 2016· Updated May 6, 2026

CVE-2016-7153

Description

The HTTP/2 protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a "HEIST" attack.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

arstechnica.com/security/2016/08/new-attack-steals-ssns-e-mail-addresses-and-more-from-https-pages/nvdTechnical Description
tom.vg/papers/heist_blackhat2016.pdfnvdTechnical Description
www.securityfocus.com/bid/92773nvd
www.securitytracker.com/id/1036741nvd
www.securitytracker.com/id/1036742nvd
www.securitytracker.com/id/1036743nvd
www.securitytracker.com/id/1036744nvd
www.securitytracker.com/id/1036745nvd
www.securitytracker.com/id/1036746nvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000