High severity7.5NVD Advisory· Published Aug 13, 2019· Updated Jun 17, 2026
CVE-2019-9515
CVE-2019-9515
Description
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
26- HTTP/2/HTTP/2description
- osv-coords25 versionspkg:rpm/almalinux/nodejs-nodemonpkg:rpm/almalinux/nodejs-packagingpkg:rpm/opensuse/nodejs10&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/nodejs10&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/nodejs8&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/nodejs8&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/firefox-atk&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-cairo&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-gdk-pixbuf&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-glib2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-gtk3&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-harfbuzz&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-libffi&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-libffi-gcc5&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-pango&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/MozillaFirefox-branding-SLED&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/mozilla-nspr&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/mozilla-nss&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015pkg:rpm/suse/nodejs10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP1pkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015pkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP1
< 1.18.3-1.module_el8.3.0+2023+d2377ea3+ 24 more
- (no CPE)range: < 1.18.3-1.module_el8.3.0+2023+d2377ea3
- (no CPE)range: < 17-3.module_el8.4.0+2224+b07ac28e
- (no CPE)range: < 10.16.3-lp151.2.6.1
- (no CPE)range: < 10.16.3-lp151.2.6.1
- (no CPE)range: < 8.16.1-lp151.2.6.1
- (no CPE)range: < 8.16.1-lp151.2.6.1
- (no CPE)range: < 2.26.1-2.8.4
- (no CPE)range: < 1.15.10-2.13.4
- (no CPE)range: < 2.36.11-2.8.4
- (no CPE)range: < 2.54.3-2.14.7
- (no CPE)range: < 3.10.9-2.15.3
- (no CPE)range: < 1.7.5-2.7.4
- (no CPE)range: < 3.2.1.git259-2.3.3
- (no CPE)range: < 5.3.1+r233831-14.1
- (no CPE)range: < 1.40.14-2.7.4
- (no CPE)range: < 68-21.9.8
- (no CPE)range: < 68.2.0-78.51.4
- (no CPE)range: < 4.21-29.6.1
- (no CPE)range: < 3.45-38.9.3
- (no CPE)range: < 10.16.3-1.12.1
- (no CPE)range: < 10.16.3-1.12.1
- (no CPE)range: < 10.16.3-1.12.1
- (no CPE)range: < 12.13.0-1.3.1
- (no CPE)range: < 8.16.1-3.20.1
- (no CPE)range: < 8.16.1-3.20.1
Patches
Vulnerability mechanics
References
38- lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.htmlnvdMailing ListThird Party Advisory
- seclists.org/fulldisclosure/2019/Aug/16nvdMailing ListThird Party Advisory
- access.redhat.com/errata/RHSA-2019:2766nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2019:2796nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2019:2861nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2019:2925nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2019:2939nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2019:2955nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2019:3892nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2019:4018nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2019:4019nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2019:4020nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2019:4021nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2019:4040nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2019:4041nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2019:4042nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2019:4045nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2019:4352nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2020:0727nvdThird Party Advisory
- github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.mdnvdThird Party Advisory
- kb.cert.org/vuls/id/605641/nvdThird Party AdvisoryUS Government Resource
- kc.mcafee.com/corporate/indexnvdThird Party Advisory
- seclists.org/bugtraq/2019/Aug/24nvdMailing ListThird Party Advisory
- seclists.org/bugtraq/2019/Aug/43nvdMailing ListThird Party Advisory
- seclists.org/bugtraq/2019/Sep/18nvdMailing ListThird Party Advisory
- security.netapp.com/advisory/ntap-20190823-0005/nvdThird Party Advisory
- support.f5.com/csp/article/K50233772nvdThird Party Advisory
- usn.ubuntu.com/4308-1/nvdThird Party Advisory
- www.debian.org/security/2019/dsa-4508nvdThird Party Advisory
- www.debian.org/security/2019/dsa-4520nvdThird Party Advisory
- www.synology.com/security/advisory/Synology_SA_19_33nvdThird Party Advisory
- lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3Envd
- lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3Envd
- lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3Envd
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/nvd
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/nvd
- support.f5.com/csp/article/K50233772nvd
News mentions
0No linked articles in our index yet.