Medium severity5.3NVD Advisory· Published Dec 8, 2022· Updated Jun 17, 2026
CVE-2022-41717
CVE-2022-41717
Description
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
golang.org/x/net/http2Go | < 0.4.0 | 0.4.0 |
golang.org/x/netGo | < 0.4.0 | 0.4.0 |
Affected products
114- osv-coords112 versionspkg:apk/chainguard/go-1.19pkg:apk/chainguard/go-1.19-docpkg:apk/chainguard/kubeflowpkg:apk/chainguard/kubeflow-access-managementpkg:apk/chainguard/kubeflow-access-management-compatpkg:apk/chainguard/kubeflow-access-management-fipspkg:apk/chainguard/kubeflow-access-management-fips-compatpkg:apk/chainguard/kubeflow-admission-webhookpkg:apk/chainguard/kubeflow-admission-webhook-compatpkg:apk/chainguard/kubeflow-admission-webhook-fipspkg:apk/chainguard/kubeflow-admission-webhook-fips-compatpkg:apk/chainguard/kubeflow-fipspkg:apk/chainguard/kubeflow-notebook-controllerpkg:apk/chainguard/kubeflow-notebook-controller-compatpkg:apk/chainguard/kubeflow-notebook-controller-fipspkg:apk/chainguard/kubeflow-notebook-controller-fips-compatpkg:apk/chainguard/kubeflow-profile-controllerpkg:apk/chainguard/kubeflow-profile-controller-compatpkg:apk/chainguard/kubeflow-profile-controller-fipspkg:apk/chainguard/kubeflow-profile-controller-fips-compatpkg:apk/chainguard/kubeflow-pvcviewer-controllerpkg:apk/chainguard/kubeflow-pvcviewer-controller-compatpkg:apk/chainguard/kubeflow-pvcviewer-controller-fipspkg:apk/chainguard/kubeflow-pvcviewer-controller-fips-compatpkg:apk/chainguard/kubeflow-tensorboard-controllerpkg:apk/chainguard/kubeflow-tensorboard-controller-compatpkg:apk/chainguard/kubeflow-tensorboard-controller-fipspkg:apk/chainguard/kubeflow-tensorboard-controller-fips-compatpkg:apk/chainguard/terraform-provider-sendgridpkg:apk/chainguard/terraform-provider-sendgrid-fipspkg:apk/wolfi/go-1.19pkg:apk/wolfi/go-1.19-docpkg:apk/wolfi/kubeflowpkg:apk/wolfi/kubeflow-access-managementpkg:apk/wolfi/kubeflow-access-management-compatpkg:apk/wolfi/kubeflow-admission-webhookpkg:apk/wolfi/kubeflow-admission-webhook-compatpkg:apk/wolfi/kubeflow-notebook-controllerpkg:apk/wolfi/kubeflow-notebook-controller-compatpkg:apk/wolfi/kubeflow-profile-controllerpkg:apk/wolfi/kubeflow-profile-controller-compatpkg:apk/wolfi/kubeflow-pvcviewer-controllerpkg:apk/wolfi/kubeflow-pvcviewer-controller-compatpkg:apk/wolfi/kubeflow-tensorboard-controllerpkg:apk/wolfi/kubeflow-tensorboard-controller-compatpkg:apk/wolfi/terraform-provider-sendgridpkg:bitnami/golangpkg:golang/golang.org/x/netpkg:golang/golang.org/x/net/http2pkg:rpm/almalinux/aardvark-dnspkg:rpm/almalinux/buildahpkg:rpm/almalinux/buildah-testspkg:rpm/almalinux/cockpit-podmanpkg:rpm/almalinux/conmonpkg:rpm/almalinux/containernetworking-pluginspkg:rpm/almalinux/containers-commonpkg:rpm/almalinux/container-selinuxpkg:rpm/almalinux/critpkg:rpm/almalinux/criupkg:rpm/almalinux/criu-develpkg:rpm/almalinux/criu-libspkg:rpm/almalinux/crunpkg:rpm/almalinux/fuse-overlayfspkg:rpm/almalinux/git-lfspkg:rpm/almalinux/grafanapkg:rpm/almalinux/libslirppkg:rpm/almalinux/libslirp-develpkg:rpm/almalinux/netavarkpkg:rpm/almalinux/oci-seccomp-bpf-hookpkg:rpm/almalinux/osbuild-composerpkg:rpm/almalinux/osbuild-composer-corepkg:rpm/almalinux/osbuild-composer-dnf-jsonpkg:rpm/almalinux/osbuild-composer-workerpkg:rpm/almalinux/podmanpkg:rpm/almalinux/podman-catatonitpkg:rpm/almalinux/podman-dockerpkg:rpm/almalinux/podman-gvproxypkg:rpm/almalinux/podman-pluginspkg:rpm/almalinux/podman-remotepkg:rpm/almalinux/podman-testspkg:rpm/almalinux/python3-criupkg:rpm/almalinux/python3-podmanpkg:rpm/almalinux/runcpkg:rpm/almalinux/skopeopkg:rpm/almalinux/skopeo-testspkg:rpm/almalinux/slirp4netnspkg:rpm/almalinux/toolboxpkg:rpm/almalinux/toolbox-testspkg:rpm/almalinux/udicapkg:rpm/almalinux/weldr-clientpkg:rpm/opensuse/go1.18&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/go1.18&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/go1.18&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/go1.18-openssl&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/go1.18-openssl&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/go1.19&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/go1.19&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/go1.19&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/traefik2&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/traefik&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/velero&distro=openSUSE%20Tumbleweedpkg:rpm/suse/go1.18&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/go1.18&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4pkg:rpm/suse/go1.18-openssl&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/go1.18-openssl&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/go1.18-openssl&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/go1.18-openssl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4pkg:rpm/suse/go1.18-openssl&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3pkg:rpm/suse/go1.18-openssl&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/go1.18-openssl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/go1.19&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/go1.19&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4
< 0+ 111 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.0.1-r1
- (no CPE)range: < 1.0.1-r1
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.0.1-r1
- (no CPE)range: < 1.18.9
- (no CPE)range: < 0.4.0
- (no CPE)range: < 0.4.0
- (no CPE)range: < 2:1.5.0-2.module_el8.8.0+3470+252b1910
- (no CPE)range: < 1:1.29.1-1.el9
- (no CPE)range: < 1:1.29.1-1.el9
- (no CPE)range: < 63.1-1.module_el8.8.0+3557+7ba9cc13
- (no CPE)range: < 2:2.1.7-1.el9_2
- (no CPE)range: < 1:1.2.0-1.el9
- (no CPE)range: < 2:1-63.module_el8.8.0+3568+e8578284
- (no CPE)range: < 2:2.205.0-2.module_el8.8.0+3557+7ba9cc13
- (no CPE)range: < 3.15-3.module_el8.7.0+3407+95aa0ca9
- (no CPE)range: < 3.15-3.module_el8.7.0+3407+95aa0ca9
- (no CPE)range: < 3.15-3.module_el8.7.0+3407+95aa0ca9
- (no CPE)range: < 3.15-3.module_el8.7.0+3407+95aa0ca9
- (no CPE)range: < 1.8.1-2.module_el8.8.0+3568+e8578284
- (no CPE)range: < 1.10-1.module_el8.8.0+3470+252b1910
- (no CPE)range: < 3.2.0-1.el9
- (no CPE)range: < 9.2.10-7.el9_3.alma.1
- (no CPE)range: < 4.4.0-1.module_el8.7.0+3407+95aa0ca9
- (no CPE)range: < 4.4.0-1.module_el8.7.0+3407+95aa0ca9
- (no CPE)range: < 2:1.5.0-4.module_el8.8.0+3470+252b1910
- (no CPE)range: < 1.2.8-1.module_el8.8.0+3470+252b1910
- (no CPE)range: < 76-2.el9_2.alma
- (no CPE)range: < 76-2.el9_2.alma
- (no CPE)range: < 76-2.el9_2.alma
- (no CPE)range: < 76-2.el9_2.alma
- (no CPE)range: < 2:4.4.1-3.el9
- (no CPE)range: < 3:4.4.1-8.module_el8.8.0+3568+e8578284
- (no CPE)range: < 2:4.4.1-3.el9
- (no CPE)range: < 2:4.4.1-3.el9
- (no CPE)range: < 2:4.4.1-3.el9
- (no CPE)range: < 2:4.4.1-3.el9
- (no CPE)range: < 2:4.4.1-3.el9
- (no CPE)range: < 3.15-3.module_el8.7.0+3407+95aa0ca9
- (no CPE)range: < 4.4.1-1.module_el8.8.0+3470+252b1910
- (no CPE)range: < 1:1.1.4-1.module_el8.7.0+3407+95aa0ca9
- (no CPE)range: < 2:1.11.2-0.1.el9
- (no CPE)range: < 2:1.11.2-0.1.el9
- (no CPE)range: < 1.2.0-2.module_el8.7.0+3407+95aa0ca9
- (no CPE)range: < 0.0.99.3-9.el9
- (no CPE)range: < 0.0.99.3-9.el9
- (no CPE)range: < 0.2.6-20.module_el8.8.0+3470+252b1910
- (no CPE)range: < 35.9-1.el9
- (no CPE)range: < 1.18.9-150000.1.40.1
- (no CPE)range: < 1.18.9-150000.1.40.1
- (no CPE)range: < 1.18.9-1.1
- (no CPE)range: < 1.18.10.1-150000.1.9.1
- (no CPE)range: < 1.18.10.1-150000.1.9.1
- (no CPE)range: < 1.19.4-150000.1.18.1
- (no CPE)range: < 1.19.4-150000.1.18.1
- (no CPE)range: < 1.19.4-1.1
- (no CPE)range: < 2.11.5-1.1
- (no CPE)range: < 2.9.6-1.1
- (no CPE)range: < 1.11.1-1.1
- (no CPE)range: < 1.18.9-150000.1.40.1
- (no CPE)range: < 1.18.9-150000.1.40.1
- (no CPE)range: < 1.18.10.1-150000.1.9.1
- (no CPE)range: < 1.18.10.1-150000.1.9.1
- (no CPE)range: < 1.18.10.1-150000.1.9.1
- (no CPE)range: < 1.18.10.1-150000.1.9.1
- (no CPE)range: < 1.18.10.1-150000.1.9.1
- (no CPE)range: < 1.18.10.1-150000.1.9.1
- (no CPE)range: < 1.18.10.1-150000.1.9.1
- (no CPE)range: < 1.19.4-150000.1.18.1
- (no CPE)range: < 1.19.4-150000.1.18.1
- golang.org/x/net/golang.org/x/net/http2v5Range: 0
- Go standard library/net/httpv5Range: 0
Patches
Vulnerability mechanics
References
44- go.dev/cl/455635nvdPatchVendor AdvisoryWEB
- go.dev/cl/455717nvdPatchVendor AdvisoryWEB
- go.dev/issue/56350nvdPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-xrjj-mj9h-534mghsaADVISORY
- groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJnvdMailing ListRelease NotesThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2022-41717ghsaADVISORY
- pkg.go.dev/vuln/GO-2022-1144nvdVendor AdvisoryWEB
- cs.opensource.google/go/x/netghsaPACKAGE
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SPghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/56B2FFESRYYP6IY2AZ3UWXLWKZ5IYZN4ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFRghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHGghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4BghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CSVIS6MTMFVBA7JPMRAUNKUOYEVSJYSBghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6PghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NQGNAXK3YBPMUP3J4TECIRDHFGW37522ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NQGNAXK3YBPMUP3J4TECIRDHFGW37522/nvdMailing List
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PUM4DIVOLJCBK5ZDP4LJOL24GXT3YSIRghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PUM4DIVOLJCBK5ZDP4LJOL24GXT3YSIR/nvdMailing List
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMTghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q52IQI754YAE4XPR4QBRWPIVZWYGZ4FSghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QBKBAZBIOXZV5QCFHZNSVXULR32XJCYDghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QBKBAZBIOXZV5QCFHZNSVXULR32XJCYD/nvdMailing List
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOUghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RIghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WPEIZ7AMEJCZXU3FEJZMVRNHQZXX5P3IghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCVghsaWEB
- security.gentoo.org/glsa/202311-09nvdWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/nvd
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/nvd
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/56B2FFESRYYP6IY2AZ3UWXLWKZ5IYZN4/nvd
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/nvd
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/nvd
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/nvd
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CSVIS6MTMFVBA7JPMRAUNKUOYEVSJYSB/nvd
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/nvd
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/nvd
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q52IQI754YAE4XPR4QBRWPIVZWYGZ4FS/nvd
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/nvd
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/nvd
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WPEIZ7AMEJCZXU3FEJZMVRNHQZXX5P3I/nvd
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/nvd
- security.netapp.com/advisory/ntap-20230120-0008/nvd
News mentions
0No linked articles in our index yet.