High severityNVD Advisory· Published Aug 13, 2019· Updated Aug 4, 2024
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service
CVE-2019-9512
Description
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2019-9512 is an HTTP/2 ping flood vulnerability that can cause denial of service by exhausting the target's CPU and memory resources.
Vulnerability
Overview
CVE-2019-9512 affects HTTP/2 implementations that mishandle PING frames. The attacker sends a continuous stream of pings to the peer, forcing it to build an internal queue of responses. If the implementation does not efficiently handle this queuing, it can lead to excessive CPU and memory consumption, resulting in a denial of service.[1][2]
Exploitation and
Attack Surface
Exploitation requires only the ability to establish an HTTP/2 connection to the target. No authentication or special privileges are needed. The attacker simply sends a high rate of PING frames, and the target's internal response queue grows unchecked. This is a straightforward amplification-based attack that can be carried out with low bandwidth.[1]
Impact
Successful exploitation causes the target to become unresponsive or crash due to resource exhaustion. The impact is a denial of service affecting the availability of the HTTP/2 service. Affected products include Red Hat JBoss Enterprise Application Platform (Undertow), Go, and Node.js, as indicated by multiple Red Hat security advisories.[2][3][4]
Mitigation
Red Hat released updates for Undertow in RHSA-2019:4019, for Go in RHSA-2019:2726, and for Node.js in RHSA-2019:2925. Affected users should apply the latest patches. No workarounds are mentioned, so upgrading is the recommended mitigation.[2][3][4]
References
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
golang.org/x/netGo | < 0.0.0-20190813141303-74dc4d7220e7 | 0.0.0-20190813141303-74dc4d7220e7 |
Affected products
38- HTTP/2/HTTP/2description
- osv-coords37 versionspkg:apk/chainguard/heypkg:apk/chainguard/k3dpkg:apk/chainguard/k3d-proxypkg:apk/chainguard/k3d-toolspkg:apk/wolfi/heypkg:apk/wolfi/k3dpkg:apk/wolfi/k3d-proxypkg:apk/wolfi/k3d-toolspkg:golang/golang.org/x/netpkg:rpm/almalinux/containernetworking-pluginspkg:rpm/almalinux/containers-commonpkg:rpm/almalinux/fuse-overlayfspkg:rpm/almalinux/nodejs-nodemonpkg:rpm/almalinux/nodejs-packagingpkg:rpm/almalinux/oci-systemd-hookpkg:rpm/almalinux/oci-umountpkg:rpm/almalinux/runcpkg:rpm/almalinux/skopeopkg:rpm/suse/firefox-atk&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-cairo&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-gdk-pixbuf&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-glib2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-gtk3&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-harfbuzz&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-libffi&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-libffi-gcc5&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-pango&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/MozillaFirefox-branding-SLED&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/mozilla-nspr&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/mozilla-nss&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP1pkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015pkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP1
< 0.1.4-r3+ 36 more
- (no CPE)range: < 0.1.4-r3
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 0.1.4-r3
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 0.0.0-20190813141303-74dc4d7220e7
- (no CPE)range: < 0.7.4-4.git9ebe139.module_el8.3.0+2044+12421f43
- (no CPE)range: < 1:0.1.32-6.git1715c90.module_el8.4.0+2478+12421f43
- (no CPE)range: < 0.3-5.module_el8.3.0+2044+12421f43
- (no CPE)range: < 1.18.3-1.module_el8.3.0+2023+d2377ea3
- (no CPE)range: < 17-3.module_el8.4.0+2224+b07ac28e
- (no CPE)range: < 1:0.1.15-2.git2d0b8a3.module_el8.5.0+119+9a9ec082
- (no CPE)range: < 2:2.3.4-2.git87f9237.module_el8.5.0+119+9a9ec082
- (no CPE)range: < 1.0.0-56.rc5.dev.git2abd837.module_el8.3.0+2044+12421f43
- (no CPE)range: < 1:0.1.32-6.git1715c90.module_el8.4.0+2496+12421f43
- (no CPE)range: < 2.26.1-2.8.4
- (no CPE)range: < 1.15.10-2.13.4
- (no CPE)range: < 2.36.11-2.8.4
- (no CPE)range: < 2.54.3-2.14.7
- (no CPE)range: < 3.10.9-2.15.3
- (no CPE)range: < 1.7.5-2.7.4
- (no CPE)range: < 3.2.1.git259-2.3.3
- (no CPE)range: < 5.3.1+r233831-14.1
- (no CPE)range: < 1.40.14-2.7.4
- (no CPE)range: < 68-21.9.8
- (no CPE)range: < 68.2.0-78.51.4
- (no CPE)range: < 4.21-29.6.1
- (no CPE)range: < 3.45-38.9.3
- (no CPE)range: < 10.16.3-1.12.1
- (no CPE)range: < 10.16.3-1.12.1
- (no CPE)range: < 10.16.3-1.12.1
- (no CPE)range: < 12.13.0-1.3.1
- (no CPE)range: < 8.16.1-3.20.1
- (no CPE)range: < 8.16.1-3.20.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
85- lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.htmlghsavendor-advisoryx_refsource_SUSEWEB
- access.redhat.com/errata/RHSA-2019:2594ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:2661ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:2682ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:2690ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:2726ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:2766ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:2769ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:2796ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:2861ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:2925ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:2939ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:2955ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:2966ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:3131ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:3245ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:3265ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:3892ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:3906ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4018ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4019ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4020ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4021ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4040ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4041ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4042ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4045ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4269ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4273ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4352ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0406ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0727ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-hgr8-6h9x-f7q9ghsaADVISORY
- kb.cert.org/vuls/id/605641/mitrethird-party-advisoryx_refsource_CERT-VN
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2019-9512ghsaADVISORY
- usn.ubuntu.com/4308-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2019/dsa-4503ghsavendor-advisoryx_refsource_DEBIANWEB
- www.debian.org/security/2019/dsa-4508ghsavendor-advisoryx_refsource_DEBIANWEB
- www.debian.org/security/2019/dsa-4520ghsavendor-advisoryx_refsource_DEBIANWEB
- seclists.org/fulldisclosure/2019/Aug/16ghsamailing-listx_refsource_FULLDISCWEB
- www.openwall.com/lists/oss-security/2019/08/20/1ghsamailing-listx_refsource_MLISTWEB
- github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.mdghsax_refsource_MISCWEB
- go.dev/cl/190137ghsaWEB
- go.dev/issue/33606ghsaWEB
- go.googlesource.com/go/+/145e193131eb486077b66009beb051aba07c52a5ghsaWEB
- groups.google.com/g/golang-announce/c/65QixT3tcmg/m/DrFiG6vvCwAJghsaWEB
- kb.cert.org/vuls/id/605641ghsaWEB
- kc.mcafee.com/corporate/indexghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04@%3Cusers.trafficserver.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19@%3Cannounce.trafficserver.apache.org%3EghsaWEB
- lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7@%3Cdev.trafficserver.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2020/12/msg00011.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMCghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXPghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQghsaWEB
- pkg.go.dev/vuln/GO-2022-0536ghsaWEB
- seclists.org/bugtraq/2019/Aug/24ghsamailing-listx_refsource_BUGTRAQWEB
- seclists.org/bugtraq/2019/Aug/31ghsamailing-listx_refsource_BUGTRAQWEB
- seclists.org/bugtraq/2019/Aug/43ghsamailing-listx_refsource_BUGTRAQWEB
- seclists.org/bugtraq/2019/Sep/18ghsamailing-listx_refsource_BUGTRAQWEB
- security.netapp.com/advisory/ntap-20190823-0001ghsaWEB
- security.netapp.com/advisory/ntap-20190823-0001/mitrex_refsource_CONFIRM
- security.netapp.com/advisory/ntap-20190823-0004ghsaWEB
- security.netapp.com/advisory/ntap-20190823-0004/mitrex_refsource_CONFIRM
- security.netapp.com/advisory/ntap-20190823-0005ghsaWEB
- security.netapp.com/advisory/ntap-20190823-0005/mitrex_refsource_CONFIRM
- support.f5.com/csp/article/K98053339ghsax_refsource_CONFIRMWEB
- support.f5.com/csp/article/K98053339mitrex_refsource_CONFIRM
- support.f5.com/csp/article/K98053339ghsaWEB
- usn.ubuntu.com/4308-1ghsaWEB
- www.synology.com/security/advisory/Synology_SA_19_33ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.