CVE-2023-26964
HIGH7.5EPSS 0.32%Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS)
Published: 4/11/2023Modified: 4/28/2026
Description
An issue was discovered in hyper v0.13.7. h2-0.2.4 Stream stacking occurs when the H2 component processes HTTP2 RST_STREAM frames. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).
Affected packages (3)
- crates.io/h2from 0, < 0.3.17
- crates.io/h2>= 0.0.0-0, < 0.3.17
- Debian/rust-h2from 0, < 0.3.13-2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-26964
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2023-26964
- PATCHhttps://crates.io/crates/h2
- PATCHhttps://github.com/hyperium/hyper
- WEBhttps://github.com/hyperium/h2/issues/621
- WEBhttps://github.com/hyperium/h2/pull/668
- WEBhttps://github.com/hyperium/hyper/issues/2877
- WEBhttps://rustsec.org/advisories/RUSTSEC-2023-0034.html