CVE-2023-26964

Vulnerability

Overview

CVE-2023-26964 describes a resource exhaustion vulnerability in the h2 crate (v0.2.4) as used by hyper v0.13.7. When the H2 component processes HTTP/2 RST_STREAM frames, streams that have been received but not yet accepted by the user can remain in a closed state in an internal slab. These streams are not immediately released, causing the slab to grow indefinitely [1][3]. The root cause is that the stream memory is freed only when stream.is_released() is true, but RST_STREAM does not trigger that release [3].

Exploitation

Mechanism

An attacker can send a flood of HEADERS frames followed immediately by RST_STREAM frames on the same HTTP/2 connection [3]. Since the streams are closed and no longer count toward the max_concurrent_streams limit, they accumulate in the accept queue. If the peer can send frames faster than the server's accept loop processes them, the memory and CPU usage increase steadily [1][4]. This attack does not require authentication and can be performed over a single TCP connection.

Impact

Successful exploitation leads to high memory and CPU consumption, ultimately causing a Denial of Service (DoS) condition. The vulnerability can exhaust available system memory, making the service unresponsive [2][3]. No other impacts (e.g., code execution, data leakage) have been reported.

Mitigation

The issue is fixed in h2 version 0.3.17 and later [4]. The fix introduces a maximum count for streams in the pending-accept but remotely-reset state; when the limit is reached, the connection sends a GOAWAY frame with ENHANCE_YOUR_CALM and marks itself as errored [1]. Upgrading to the patched version is recommended. No workarounds have been officially documented.