Unrated severityNVD Advisory· Published Apr 4, 2024· Updated Nov 4, 2025

Reading unbounded number of HTTP/2 CONTINUATION frames to cause excessive CPU usage

CVE-2024-28182

Description

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.

Affected products

osv-coords48 versions
pkg:apk/chainguard/libnghttp2-14 pkg:apk/chainguard/nghttp2 pkg:apk/chainguard/nghttp2-dev pkg:apk/chainguard/nghttp2-doc pkg:apk/wolfi/libnghttp2-14 pkg:apk/wolfi/nghttp2 pkg:apk/wolfi/nghttp2-dev pkg:apk/wolfi/nghttp2-doc pkg:rpm/almalinux/libnghttp2 pkg:rpm/almalinux/libnghttp2-devel pkg:rpm/almalinux/nghttp2 pkg:rpm/almalinux/nodejs pkg:rpm/almalinux/nodejs-devel pkg:rpm/almalinux/nodejs-docs pkg:rpm/almalinux/nodejs-full-i18n pkg:rpm/almalinux/nodejs-libs pkg:rpm/almalinux/nodejs-nodemon pkg:rpm/almalinux/nodejs-packaging pkg:rpm/almalinux/nodejs-packaging-bundler pkg:rpm/almalinux/npm pkg:rpm/opensuse/nghttp2&distro=openSUSE%20Leap%2015.5 pkg:rpm/opensuse/nghttp2&distro=openSUSE%20Leap%20Micro%205.3 pkg:rpm/opensuse/nghttp2&distro=openSUSE%20Leap%20Micro%205.4 pkg:rpm/opensuse/nghttp2&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/nghttp2-python&distro=openSUSE%20Leap%2015.5 pkg:rpm/suse/nghttp2&distro=SUSE%20Enterprise%20Storage%207.1 pkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSS pkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSS pkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOS pkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSS pkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20Micro%205.1 pkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20Micro%205.2 pkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20Micro%205.3 pkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20Micro%205.4 pkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20Micro%205.5 pkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5 pkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSS pkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSS pkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSS pkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2 pkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3 pkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4 pkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5 pkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Micro%206.0 pkg:rpm/suse/nghttp2&distro=SUSE%20Manager%20Proxy%204.3 pkg:rpm/suse/nghttp2&distro=SUSE%20Manager%20Server%204.3
< 1.61.0-r0+ 47 more
- (no CPE)range: < 1.61.0-r0
- (no CPE)range: < 1.61.0-r0
- (no CPE)range: < 1.61.0-r0
- (no CPE)range: < 1.61.0-r0
- (no CPE)range: < 1.61.0-r0
- (no CPE)range: < 1.61.0-r0
- (no CPE)range: < 1.61.0-r0
- (no CPE)range: < 1.61.0-r0
- (no CPE)range: < 1.43.0-5.el9_4.3
- (no CPE)range: < 1.43.0-5.el9_4.3
- (no CPE)range: < 1.43.0-5.el9_4.3
- (no CPE)range: < 1:20.12.2-2.module_el8.9.0+3827+11b91f3e
- (no CPE)range: < 1:20.12.2-2.module_el8.9.0+3827+11b91f3e
- (no CPE)range: < 1:20.12.2-2.module_el8.9.0+3827+11b91f3e
- (no CPE)range: < 1:20.12.2-2.module_el8.9.0+3827+11b91f3e
- (no CPE)range: < 1:16.20.2-8.el9_4
- (no CPE)range: < 3.0.1-1.module_el8.9.0+3731+490e3ce5
- (no CPE)range: < 2021.06-4.module_el8.9.0+3684+11b9e959
- (no CPE)range: < 2021.06-4.module_el8.9.0+3684+11b9e959
- (no CPE)range: < 1:10.5.0-1.20.12.2.2.module_el8.9.0+3827+11b91f3e
- (no CPE)range: < 1.40.0-150200.17.1
- (no CPE)range: < 1.40.0-150200.17.1
- (no CPE)range: < 1.40.0-150200.17.1
- (no CPE)range: < 1.61.0-1.1
- (no CPE)range: < 1.40.0-150200.17.1
- (no CPE)range: < 1.40.0-150200.17.1
- (no CPE)range: < 1.40.0-150200.17.1
- (no CPE)range: < 1.40.0-150200.17.1
- (no CPE)range: < 1.40.0-150200.17.1
- (no CPE)range: < 1.40.0-150200.17.1
- (no CPE)range: < 1.40.0-150200.17.1
- (no CPE)range: < 1.40.0-150200.17.1
- (no CPE)range: < 1.40.0-150200.17.1
- (no CPE)range: < 1.40.0-150200.17.1
- (no CPE)range: < 1.40.0-150200.17.1
- (no CPE)range: < 1.40.0-150200.17.1
- (no CPE)range: < 1.39.2-3.18.1
- (no CPE)range: < 1.40.0-150200.17.1
- (no CPE)range: < 1.40.0-150200.17.1
- (no CPE)range: < 1.40.0-150200.17.1
- (no CPE)range: < 1.39.2-3.18.1
- (no CPE)range: < 1.40.0-150200.17.1
- (no CPE)range: < 1.40.0-150200.17.1
- (no CPE)range: < 1.40.0-150200.17.1
- (no CPE)range: < 1.39.2-3.18.1
- (no CPE)range: < 1.52.0-5.1
- (no CPE)range: < 1.40.0-150200.17.1
- (no CPE)range: < 1.40.0-150200.17.1
Nghttp2/Nghttp2cpe-rescue
Range: < 1.61.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.020
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000