Moderate severityNVD Advisory· Published Dec 8, 2022· Updated Feb 13, 2025

Excessive memory growth in net/http and golang.org/x/net/http2

CVE-2022-41717

Description

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2022-41717: an HTTP/2 header key cache in Go's net/http allows an attacker to cause ~64 MiB memory growth per connection.

Vulnerability

Details

CVE-2022-41717 is a memory exhaustion vulnerability in Go's net/http package affecting servers that accept HTTP/2 requests. The root cause lies in the HTTP/2 header key cache: while the number of cache entries is bounded, an attacker can send very large HTTP header keys, causing the server to allocate approximately 64 MiB of memory per open connection [1] [2].

Exploitation

The attack requires no authentication or special permissions—any client that can establish an HTTP/2 connection to a vulnerable Go server can trigger the memory allocation. The attacker simply sends HTTP/2 frames containing oversized header keys; the server caches each key, and the per‑connection memory consumption grows linearly with the size of the keys [2].

Impact

By opening multiple connections, an attacker can exhaust the server’s available memory, leading to a denial of service (DoS) condition. The memory is not released until the connection is closed, so sustained or repeated connections can cause the server to become unresponsive or crash [1].

Mitigation

Go released fixes in versions 1.19.4 and 1.18.9 on December 6, 2022, which limit the header key cache by total bytes instead of by entry count [2]. Users manually configuring HTTP/2 should apply the fix to golang.org/x/net/http2. Fedora also released updated packages [3] [4]. No workaround is available for unpatched versions.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
golang.org/x/net/http2Go	< 0.4.0	0.4.0
golang.org/x/netGo	< 0.4.0	0.4.0

Affected products

109

osv-coords107 versions
pkg:apk/chainguard/go-1.19 pkg:apk/chainguard/go-1.19-doc pkg:apk/chainguard/kubeflow pkg:apk/chainguard/kubeflow-access-management pkg:apk/chainguard/kubeflow-access-management-compat pkg:apk/chainguard/kubeflow-access-management-fips pkg:apk/chainguard/kubeflow-access-management-fips-compat pkg:apk/chainguard/kubeflow-admission-webhook pkg:apk/chainguard/kubeflow-admission-webhook-compat pkg:apk/chainguard/kubeflow-admission-webhook-fips pkg:apk/chainguard/kubeflow-admission-webhook-fips-compat pkg:apk/chainguard/kubeflow-fips pkg:apk/chainguard/kubeflow-notebook-controller pkg:apk/chainguard/kubeflow-notebook-controller-compat pkg:apk/chainguard/kubeflow-notebook-controller-fips pkg:apk/chainguard/kubeflow-notebook-controller-fips-compat pkg:apk/chainguard/kubeflow-profile-controller pkg:apk/chainguard/kubeflow-profile-controller-compat pkg:apk/chainguard/kubeflow-profile-controller-fips pkg:apk/chainguard/kubeflow-profile-controller-fips-compat pkg:apk/chainguard/kubeflow-pvcviewer-controller pkg:apk/chainguard/kubeflow-pvcviewer-controller-compat pkg:apk/chainguard/kubeflow-pvcviewer-controller-fips pkg:apk/chainguard/kubeflow-pvcviewer-controller-fips-compat pkg:apk/chainguard/kubeflow-tensorboard-controller pkg:apk/chainguard/kubeflow-tensorboard-controller-compat pkg:apk/chainguard/kubeflow-tensorboard-controller-fips pkg:apk/chainguard/kubeflow-tensorboard-controller-fips-compat pkg:apk/chainguard/terraform-provider-sendgrid pkg:apk/chainguard/terraform-provider-sendgrid-fips pkg:apk/wolfi/go-1.19 pkg:apk/wolfi/go-1.19-doc pkg:apk/wolfi/kubeflow pkg:apk/wolfi/kubeflow-access-management pkg:apk/wolfi/kubeflow-access-management-compat pkg:apk/wolfi/kubeflow-admission-webhook pkg:apk/wolfi/kubeflow-admission-webhook-compat pkg:apk/wolfi/kubeflow-notebook-controller pkg:apk/wolfi/kubeflow-notebook-controller-compat pkg:apk/wolfi/kubeflow-profile-controller pkg:apk/wolfi/kubeflow-profile-controller-compat pkg:apk/wolfi/kubeflow-pvcviewer-controller pkg:apk/wolfi/kubeflow-pvcviewer-controller-compat pkg:apk/wolfi/kubeflow-tensorboard-controller pkg:apk/wolfi/kubeflow-tensorboard-controller-compat pkg:apk/wolfi/terraform-provider-sendgrid pkg:bitnami/golang pkg:golang/golang.org/x/net pkg:golang/golang.org/x/net/http2 pkg:rpm/almalinux/aardvark-dns pkg:rpm/almalinux/buildah pkg:rpm/almalinux/buildah-tests pkg:rpm/almalinux/cockpit-podman pkg:rpm/almalinux/conmon pkg:rpm/almalinux/containernetworking-plugins pkg:rpm/almalinux/containers-common pkg:rpm/almalinux/container-selinux pkg:rpm/almalinux/crit pkg:rpm/almalinux/criu pkg:rpm/almalinux/criu-devel pkg:rpm/almalinux/criu-libs pkg:rpm/almalinux/crun pkg:rpm/almalinux/fuse-overlayfs pkg:rpm/almalinux/git-lfs pkg:rpm/almalinux/grafana pkg:rpm/almalinux/libslirp pkg:rpm/almalinux/libslirp-devel pkg:rpm/almalinux/netavark pkg:rpm/almalinux/oci-seccomp-bpf-hook pkg:rpm/almalinux/osbuild-composer pkg:rpm/almalinux/osbuild-composer-core pkg:rpm/almalinux/osbuild-composer-dnf-json pkg:rpm/almalinux/osbuild-composer-worker pkg:rpm/almalinux/podman pkg:rpm/almalinux/podman-catatonit pkg:rpm/almalinux/podman-docker pkg:rpm/almalinux/podman-gvproxy pkg:rpm/almalinux/podman-plugins pkg:rpm/almalinux/podman-remote pkg:rpm/almalinux/podman-tests pkg:rpm/almalinux/python3-criu pkg:rpm/almalinux/python3-podman pkg:rpm/almalinux/runc pkg:rpm/almalinux/skopeo pkg:rpm/almalinux/skopeo-tests pkg:rpm/almalinux/slirp4netns pkg:rpm/almalinux/toolbox pkg:rpm/almalinux/toolbox-tests pkg:rpm/almalinux/udica pkg:rpm/almalinux/weldr-client pkg:rpm/opensuse/go1.18&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/go1.18&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/go1.18-openssl&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/go1.18-openssl&distro=openSUSE%20Leap%2015.5 pkg:rpm/opensuse/go1.19&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/go1.19&distro=openSUSE%20Leap%2015.4 pkg:rpm/suse/go1.18&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3 pkg:rpm/suse/go1.18&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4 pkg:rpm/suse/go1.18-openssl&distro=SUSE%20Enterprise%20Storage%207.1 pkg:rpm/suse/go1.18-openssl&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOS pkg:rpm/suse/go1.18-openssl&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSS pkg:rpm/suse/go1.18-openssl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4 pkg:rpm/suse/go1.18-openssl&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3 pkg:rpm/suse/go1.18-openssl&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSS pkg:rpm/suse/go1.18-openssl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3 pkg:rpm/suse/go1.19&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3 pkg:rpm/suse/go1.19&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4
< 0+ 106 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 1.0.1-r1
- (no CPE)range: < 1.0.1-r1
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.10.0-r4
- (no CPE)range: < 1.0.1-r1
- (no CPE)range: < 1.18.9
- (no CPE)range: < 0.4.0
- (no CPE)range: < 0.4.0
- (no CPE)range: < 2:1.5.0-2.module_el8.8.0+3470+252b1910
- (no CPE)range: < 1:1.29.1-1.el9
- (no CPE)range: < 1:1.29.1-1.el9
- (no CPE)range: < 63.1-1.module_el8.8.0+3557+7ba9cc13
- (no CPE)range: < 2:2.1.7-1.el9_2
- (no CPE)range: < 1:1.2.0-1.el9
- (no CPE)range: < 2:1-63.module_el8.8.0+3568+e8578284
- (no CPE)range: < 2:2.205.0-2.module_el8.8.0+3557+7ba9cc13
- (no CPE)range: < 3.15-3.module_el8.7.0+3407+95aa0ca9
- (no CPE)range: < 3.15-3.module_el8.7.0+3407+95aa0ca9
- (no CPE)range: < 3.15-3.module_el8.7.0+3407+95aa0ca9
- (no CPE)range: < 3.15-3.module_el8.7.0+3407+95aa0ca9
- (no CPE)range: < 1.8.1-2.module_el8.8.0+3568+e8578284
- (no CPE)range: < 1.10-1.module_el8.8.0+3470+252b1910
- (no CPE)range: < 3.2.0-1.el9
- (no CPE)range: < 9.2.10-7.el9_3.alma.1
- (no CPE)range: < 4.4.0-1.module_el8.7.0+3407+95aa0ca9
- (no CPE)range: < 4.4.0-1.module_el8.7.0+3407+95aa0ca9
- (no CPE)range: < 2:1.5.0-4.module_el8.8.0+3470+252b1910
- (no CPE)range: < 1.2.8-1.module_el8.8.0+3470+252b1910
- (no CPE)range: < 76-2.el9_2.alma
- (no CPE)range: < 76-2.el9_2.alma
- (no CPE)range: < 76-2.el9_2.alma
- (no CPE)range: < 76-2.el9_2.alma
- (no CPE)range: < 2:4.4.1-3.el9
- (no CPE)range: < 3:4.4.1-8.module_el8.8.0+3568+e8578284
- (no CPE)range: < 2:4.4.1-3.el9
- (no CPE)range: < 2:4.4.1-3.el9
- (no CPE)range: < 2:4.4.1-3.el9
- (no CPE)range: < 2:4.4.1-3.el9
- (no CPE)range: < 2:4.4.1-3.el9
- (no CPE)range: < 3.15-3.module_el8.7.0+3407+95aa0ca9
- (no CPE)range: < 4.4.1-1.module_el8.8.0+3470+252b1910
- (no CPE)range: < 1:1.1.4-1.module_el8.7.0+3407+95aa0ca9
- (no CPE)range: < 2:1.11.2-0.1.el9
- (no CPE)range: < 2:1.11.2-0.1.el9
- (no CPE)range: < 1.2.0-2.module_el8.7.0+3407+95aa0ca9
- (no CPE)range: < 0.0.99.3-9.el9
- (no CPE)range: < 0.0.99.3-9.el9
- (no CPE)range: < 0.2.6-20.module_el8.8.0+3470+252b1910
- (no CPE)range: < 35.9-1.el9
- (no CPE)range: < 1.18.9-150000.1.40.1
- (no CPE)range: < 1.18.9-150000.1.40.1
- (no CPE)range: < 1.18.10.1-150000.1.9.1
- (no CPE)range: < 1.18.10.1-150000.1.9.1
- (no CPE)range: < 1.19.4-150000.1.18.1
- (no CPE)range: < 1.19.4-150000.1.18.1
- (no CPE)range: < 1.18.9-150000.1.40.1
- (no CPE)range: < 1.18.9-150000.1.40.1
- (no CPE)range: < 1.18.10.1-150000.1.9.1
- (no CPE)range: < 1.18.10.1-150000.1.9.1
- (no CPE)range: < 1.18.10.1-150000.1.9.1
- (no CPE)range: < 1.18.10.1-150000.1.9.1
- (no CPE)range: < 1.18.10.1-150000.1.9.1
- (no CPE)range: < 1.18.10.1-150000.1.9.1
- (no CPE)range: < 1.18.10.1-150000.1.9.1
- (no CPE)range: < 1.19.4-150000.1.18.1
- (no CPE)range: < 1.19.4-150000.1.18.1
golang.org/x/net/golang.org/x/net/http2v5
Range: 0
Go standard library/net/httpv5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000