VYPR
← All advisories
High severityNVD Advisory· Published Aug 13, 2019· Updated Aug 4, 2024

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service

CVE-2019-9514

Description

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2019-9514 describes an HTTP/2 reset flood vulnerability that can cause denial of service by exhausting memory and CPU resources.

Vulnerability

Overview

CVE-2019-9514 is an HTTP/2 vulnerability that allows an attacker to cause a denial of service via a reset flood. The attacker opens multiple streams and sends invalid requests that elicit RST_STREAM frames from the peer. If the peer queues these frames inefficiently, it can lead to excessive memory and CPU consumption [2].

Exploitation

Mechanism

The attack leverages the HTTP/2 protocol's stream management. By sending a large number of invalid requests, the attacker forces the server to generate and handle many RST_STREAM frames. Depending on how the implementation queues these frames, the server's resources can be overwhelmed [2]. This attack does not require authentication and can be launched over a network.

Impact

Successful exploitation results in a denial of service, making the affected service unresponsive or crash. Red Hat rated this vulnerability as Important severity, as it can impact critical infrastructure [2]. The vulnerability affects multiple products including Undertow and Node.js.

Mitigation

Red Hat has released patches for affected products such as JBoss Enterprise Application Platform (via RHSA-2019:4019 [2]), and various container tools (via RHSA-2019:4273 [1], RHSA-2019:4269 [3]). Additionally, Node.js was patched in RHSA-2019:2925 [4]. Administrators should apply the recommended updates to mitigate the risk.

References
  1. https://access.redhat.com/errata/RHSA-2019:4273
  2. https://access.redhat.com/errata/RHSA-2019:4019
  3. https://access.redhat.com/errata/RHSA-2019:4269
  4. https://access.redhat.com/errata/RHSA-2019:2925

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
golang.org/x/netGo
< 0.0.0-20190813141303-74dc4d7220e70.0.0-20190813141303-74dc4d7220e7

Affected products

38

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

87

News mentions

0

No linked articles in our index yet.