CVE-2022-41723

Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of requests.

Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2 streams. An attacker could possibly use this issue to cause a denial of service. Marten Seemann discovered that Go did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a panic resulting in a denial of service. Ameya Darshan and Jakob Ackermann discovered that Go did not properly validate the amount of memory and disk files ReadForm can consume. An attacker could possibly use this issue to cause a panic resulting in a denial of service.

*Credits: Philippe Antoine (Catena cyber)

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-28 CVE Reserved
2023-02-28 CVE Published
2025-02-13 CVE Updated
2025-04-02 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption

CAPEC

References (16)

URL	Tag	Source
https://go.dev/issue/57855	Issue Tracking
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC	Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT	Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE	Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE	Third Party Advisory
https://security.gentoo.org/glsa/202311-09
https://www.couchbase.com/alerts

URL	Date	SRC

URL	Date	SRC
https://go.dev/cl/468135	2023-11-25
https://go.dev/cl/468295	2023-11-25

URL	Date	SRC
https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E	2023-11-25
https://pkg.go.dev/vuln/GO-2023-1571	2023-11-25
https://access.redhat.com/security/cve/CVE-2022-41723	2024-07-25
https://bugzilla.redhat.com/show_bug.cgi?id=2178358	2024-07-25

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Golang Search vendor "Golang"		Go Search vendor "Golang" for product "Go"				< 1.19.6 Search vendor "Golang" for product "Go" and version " < 1.19.6"		-		Affected
Golang Search vendor "Golang"		Go Search vendor "Golang" for product "Go"				1.20.0 Search vendor "Golang" for product "Go" and version "1.20.0"		-		Affected
Golang Search vendor "Golang"		Hpack Search vendor "Golang" for product "Hpack"				< 0.7.0 Search vendor "Golang" for product "Hpack" and version " < 0.7.0"		go		Affected
Golang Search vendor "Golang"		Http2 Search vendor "Golang" for product "Http2"				< 0.7.0 Search vendor "Golang" for product "Http2" and version " < 0.7.0"		go		Affected