CVE-2024-28182
Publication date 4 April 2024
Last updated 24 July 2024
Ubuntu priority
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| nghttp2 | 24.04 LTS noble |
Fixed 1.59.0-1ubuntu0.1
|
| 22.04 LTS jammy |
Fixed 1.43.0-1ubuntu0.2
|
|
| 20.04 LTS focal |
Fixed 1.40.0-1ubuntu0.3
|
|
| 18.04 LTS bionic |
Fixed 1.30.0-1ubuntu1+esm2
|
|
| 16.04 LTS xenial |
Fixed 1.7.1-1ubuntu0.1~esm2
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProReferences
Related Ubuntu Security Notices (USN)
- USN-6754-1
- nghttp2 vulnerabilities
- 25 April 2024
- USN-6754-2
- nghttp2 vulnerability
- 7 May 2024