CVE-2022-41717
excessive memory growth vulnerability in http2 (Go)

excessive memory growth Proof of concept Fixable By Resolved Security

What is CVE-2022-41717 About?

This vulnerability allows an attacker to cause excessive memory growth in Go servers accepting HTTP/2 requests. By sending very large HTTP header keys, an attacker can force the server to allocate significant memory per connection, leading to a denial of service. Exploitation is relatively straightforward due to the nature of HTTP/2 header caching.

Affected Software

  • golang.org/x/net/http2
    • <0.4.0
  • golang.org/x/net
    • <0.4.0
  • stdlib
    • <1.18.9

Technical Details

The vulnerability affects Go servers that accept HTTP/2 requests. HTTP/2 protocol implementations typically maintain a header compression table (HPACK dynamic table) per connection to optimize header transmission. While these tables have a cap on the total number of entries, the flaw here is in how Go's HTTP/2 implementation handles very large header keys. An attacker can send HTTP/2 requests containing excessively long or numerous unique header keys. Although the total number of entries is capped, the size of individual large keys can lead to significant memory allocation within the connection's header cache, potentially consuming approximately 64 MiB of memory per open connection. By establishing multiple such connections or continuously sending large keys, an attacker can exhaust the server's memory, leading to a denial of service.

What is the Impact of CVE-2022-41717?

Successful exploitation may allow attackers to cause excessive memory consumption, leading to a denial of service due to resource exhaustion in Go servers.

What is the Exploitability of CVE-2022-41717?

Exploitation is specific to Go servers supporting HTTP/2 and involves sending crafted HTTP/2 requests. It is of medium complexity, as it requires constructing HTTP/2 frames with unusually large header keys. No specific authentication is required, as the attack targets the connection establishment and header processing phase of HTTP/2. Privilege requirements are low, as it's an unauthenticated network attack. This is a remote vulnerability. The special conditions include the target being a Go server with HTTP/2 enabled and potentially a specific build that doesn't adequately guard against this memory allocation behavior. The risk of exploitation is increased if the server is publicly exposed and relies on Go's standard HTTP/2 library.

What are the Known Public Exploits?

PoC Author Link Commentary
domdom82 Link Exploit for CVE-2022-41717

What are the Available Fixes for CVE-2022-41717?

A Fix by Resolved Security Exists!

About the Fix from Resolved Security

The patch introduces a hard limit (2048 bytes) on the total size of cached canonical HTTP/2 header keys, preventing unbounded memory growth by capping the size of the canonHeader map. This fixes CVE-2022-41717 by mitigating a denial-of-service risk where an attacker could send many unique header names to exhaust server memory.

Available Upgrade Options

  • stdlib
    • <1.18.9 → Upgrade to 1.18.9
  • golang.org/x/net
    • <0.4.0 → Upgrade to 0.4.0
  • golang.org/x/net/http2
    • <0.4.0 → Upgrade to 0.4.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2022-41717?

Similar Vulnerabilities: CVE-2019-19906 , CVE-2019-19907 , CVE-2019-19921 , CVE-2020-1967 , CVE-2020-13936

All Rights reserved 2025
Privacy Policy