FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

nghttp2 -- DoS vulnerability

Affected packages
libnghttp2 < 1.41.0
nghttp2 < 1.41.0


VuXML ID 4bb56d2f-a5b0-11ea-a860-08002728f74c
Discovery 2020-06-02
Entry 2020-06-03

nghttp2 security advisories:

The overly large HTTP/2 SETTINGS frame payload causes denial of service.

The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%.


CVE Name CVE-2020-11080