vulnerability

Red Hat: CVE-2019-9515: CVE-2019-9515 HTTP/2: flood using SETTINGS frames results in unbounded memory growth (Multiple Advisories)

Name: Red Hat: CVE-2019-9515: CVE-2019-9515 HTTP/2: flood using SETTINGS frames results in unbounded memory growth (Multiple Advisories)
Creator: Red Hat
Published: 2019-08-13T00:00:00.000Z
Keywords: CVE, CWE-400, CWE-770, Red Hat, 2019, 9515, 9515 HTTP/2, redhat-upgrade-nodejs, redhat-upgrade-nodejs-debuginfo, redhat-upgrade-nodejs-debugsource, redhat-upgrade-nodejs-devel, redhat-upgrade-nodejs-devel-debuginfo, redhat-upgrade-nodejs-docs, redhat-upgrade-nodejs-nodemon, redhat-upgrade-nodejs-packaging, redhat-upgrade-npm, Severity 8

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Published

Aug 13, 2019

Added

Oct 1, 2019

Modified

Mar 27, 2026

Description

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Solutions

redhat-upgrade-nodejsredhat-upgrade-nodejs-debuginforedhat-upgrade-nodejs-debugsourceredhat-upgrade-nodejs-develredhat-upgrade-nodejs-devel-debuginforedhat-upgrade-nodejs-docsredhat-upgrade-nodejs-nodemonredhat-upgrade-nodejs-packagingredhat-upgrade-npm

References

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report