High severityNVD Advisory· Published Aug 13, 2019· Updated Aug 4, 2024
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service
CVE-2019-9512
Description
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
golang.org/x/netGo | < 0.0.0-20190813141303-74dc4d7220e7 | 0.0.0-20190813141303-74dc4d7220e7 |
Affected products
50- HTTP/2/HTTP/2description
- osv-coords49 versionspkg:apk/chainguard/heypkg:apk/chainguard/k3dpkg:apk/chainguard/k3d-proxypkg:apk/chainguard/k3d-toolspkg:apk/wolfi/heypkg:apk/wolfi/k3dpkg:apk/wolfi/k3d-proxypkg:apk/wolfi/k3d-toolspkg:golang/golang.org/x/netpkg:rpm/almalinux/containernetworking-pluginspkg:rpm/almalinux/containers-commonpkg:rpm/almalinux/fuse-overlayfspkg:rpm/almalinux/nodejs-nodemonpkg:rpm/almalinux/nodejs-packagingpkg:rpm/almalinux/oci-systemd-hookpkg:rpm/almalinux/oci-umountpkg:rpm/almalinux/runcpkg:rpm/almalinux/skopeopkg:rpm/opensuse/go1.11&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/go1.11&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/go1.11&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/go1.12&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/go1.12&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/go1.12&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/nodejs10&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/nodejs10&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/nodejs8&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/nodejs8&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/notary&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Twisted&distro=openSUSE%20Tumbleweedpkg:rpm/suse/firefox-atk&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-cairo&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-gdk-pixbuf&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-glib2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-gtk3&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-harfbuzz&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-libffi&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-libffi-gcc5&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-pango&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/MozillaFirefox-branding-SLED&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/mozilla-nspr&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/mozilla-nss&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP1pkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015pkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP1
< 0.1.4-r3+ 48 more
- (no CPE)range: < 0.1.4-r3
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 0.1.4-r3
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 0.0.0-20190813141303-74dc4d7220e7
- (no CPE)range: < 0.7.4-4.git9ebe139.module_el8.3.0+2044+12421f43
- (no CPE)range: < 1:0.1.32-6.git1715c90.module_el8.4.0+2478+12421f43
- (no CPE)range: < 0.3-5.module_el8.3.0+2044+12421f43
- (no CPE)range: < 1.18.3-1.module_el8.3.0+2023+d2377ea3
- (no CPE)range: < 17-3.module_el8.4.0+2224+b07ac28e
- (no CPE)range: < 1:0.1.15-2.git2d0b8a3.module_el8.5.0+119+9a9ec082
- (no CPE)range: < 2:2.3.4-2.git87f9237.module_el8.5.0+119+9a9ec082
- (no CPE)range: < 1.0.0-56.rc5.dev.git2abd837.module_el8.3.0+2044+12421f43
- (no CPE)range: < 1:0.1.32-6.git1715c90.module_el8.4.0+2496+12421f43
- (no CPE)range: < 1.11.13-lp151.2.9.1
- (no CPE)range: < 1.11.13-lp151.2.9.1
- (no CPE)range: < 1.11.13-10.5
- (no CPE)range: < 1.12.9-lp151.2.13.1
- (no CPE)range: < 1.12.9-lp151.2.9.1
- (no CPE)range: < 1.12.17-4.8
- (no CPE)range: < 10.16.3-lp151.2.6.1
- (no CPE)range: < 10.16.3-lp151.2.6.1
- (no CPE)range: < 8.16.1-lp151.2.6.1
- (no CPE)range: < 8.16.1-lp151.2.6.1
- (no CPE)range: < 0.7.0-1.2
- (no CPE)range: < 21.7.0-3.2
- (no CPE)range: < 2.26.1-2.8.4
- (no CPE)range: < 1.15.10-2.13.4
- (no CPE)range: < 2.36.11-2.8.4
- (no CPE)range: < 2.54.3-2.14.7
- (no CPE)range: < 3.10.9-2.15.3
- (no CPE)range: < 1.7.5-2.7.4
- (no CPE)range: < 3.2.1.git259-2.3.3
- (no CPE)range: < 5.3.1+r233831-14.1
- (no CPE)range: < 1.40.14-2.7.4
- (no CPE)range: < 68-21.9.8
- (no CPE)range: < 68.2.0-78.51.4
- (no CPE)range: < 4.21-29.6.1
- (no CPE)range: < 3.45-38.9.3
- (no CPE)range: < 10.16.3-1.12.1
- (no CPE)range: < 10.16.3-1.12.1
- (no CPE)range: < 10.16.3-1.12.1
- (no CPE)range: < 12.13.0-1.3.1
- (no CPE)range: < 8.16.1-3.20.1
- (no CPE)range: < 8.16.1-3.20.1
Patches
Vulnerability mechanics
References
85- lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.htmlghsavendor-advisoryx_refsource_SUSEWEB
- access.redhat.com/errata/RHSA-2019:2594ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:2661ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:2682ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:2690ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:2726ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:2766ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:2769ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:2796ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:2861ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:2925ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:2939ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:2955ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:2966ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:3131ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:3245ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:3265ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:3892ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:3906ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4018ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4019ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4020ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4021ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4040ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4041ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4042ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4045ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4269ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4273ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4352ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0406ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0727ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-hgr8-6h9x-f7q9ghsaADVISORY
- kb.cert.org/vuls/id/605641/mitrethird-party-advisoryx_refsource_CERT-VN
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2019-9512ghsaADVISORY
- usn.ubuntu.com/4308-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2019/dsa-4503ghsavendor-advisoryx_refsource_DEBIANWEB
- www.debian.org/security/2019/dsa-4508ghsavendor-advisoryx_refsource_DEBIANWEB
- www.debian.org/security/2019/dsa-4520ghsavendor-advisoryx_refsource_DEBIANWEB
- seclists.org/fulldisclosure/2019/Aug/16ghsamailing-listx_refsource_FULLDISCWEB
- www.openwall.com/lists/oss-security/2019/08/20/1ghsamailing-listx_refsource_MLISTWEB
- github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.mdghsax_refsource_MISCWEB
- go.dev/cl/190137ghsaWEB
- go.dev/issue/33606ghsaWEB
- go.googlesource.com/go/+/145e193131eb486077b66009beb051aba07c52a5ghsaWEB
- groups.google.com/g/golang-announce/c/65QixT3tcmg/m/DrFiG6vvCwAJghsaWEB
- kb.cert.org/vuls/id/605641ghsaWEB
- kc.mcafee.com/corporate/indexghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04@%3Cusers.trafficserver.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19@%3Cannounce.trafficserver.apache.org%3EghsaWEB
- lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7@%3Cdev.trafficserver.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2020/12/msg00011.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMCghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXPghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQghsaWEB
- pkg.go.dev/vuln/GO-2022-0536ghsaWEB
- seclists.org/bugtraq/2019/Aug/24ghsamailing-listx_refsource_BUGTRAQWEB
- seclists.org/bugtraq/2019/Aug/31ghsamailing-listx_refsource_BUGTRAQWEB
- seclists.org/bugtraq/2019/Aug/43ghsamailing-listx_refsource_BUGTRAQWEB
- seclists.org/bugtraq/2019/Sep/18ghsamailing-listx_refsource_BUGTRAQWEB
- security.netapp.com/advisory/ntap-20190823-0001ghsaWEB
- security.netapp.com/advisory/ntap-20190823-0001/mitrex_refsource_CONFIRM
- security.netapp.com/advisory/ntap-20190823-0004ghsaWEB
- security.netapp.com/advisory/ntap-20190823-0004/mitrex_refsource_CONFIRM
- security.netapp.com/advisory/ntap-20190823-0005ghsaWEB
- security.netapp.com/advisory/ntap-20190823-0005/mitrex_refsource_CONFIRM
- support.f5.com/csp/article/K98053339ghsax_refsource_CONFIRMWEB
- support.f5.com/csp/article/K98053339mitrex_refsource_CONFIRM
- support.f5.com/csp/article/K98053339ghsaWEB
- usn.ubuntu.com/4308-1ghsaWEB
- www.synology.com/security/advisory/Synology_SA_19_33ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.