{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/http2/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-31935"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cve","dos","http2","suricata"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-31935 describes a denial-of-service vulnerability affecting Suricata, a network IDS, IPS, and NSM engine. The vulnerability lies in the processing of HTTP2 continuation frames. Versions prior to 7.0.15 and 8.0.4 are susceptible to memory exhaustion when flooded with maliciously crafted HTTP2 continuation frames. This excessive memory consumption typically results in the operating system shutting down the Suricata process to prevent system instability. The vulnerability was reported and patched by the Open Information Security Foundation (OISF), the maintainers of Suricata, in versions 7.0.15 and 8.0.4. This vulnerability can be exploited by unauthenticated attackers from the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Suricata instance running a version prior to 7.0.15 or 8.0.4.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes an HTTP2 connection with the target Suricata instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a series of malicious HTTP2 continuation frames.\u003c/li\u003e\n\u003cli\u003eThe attacker floods the Suricata instance with these crafted continuation frames over the established HTTP2 connection.\u003c/li\u003e\n\u003cli\u003eThe Suricata process attempts to allocate memory to process the excessive number of continuation frames.\u003c/li\u003e\n\u003cli\u003eMemory consumption rapidly increases as the vulnerable code fails to properly handle the flood of continuation frames.\u003c/li\u003e\n\u003cli\u003eThe system reaches its memory limit, leading to resource exhaustion.\u003c/li\u003e\n\u003cli\u003eThe operating system intervenes and terminates the Suricata process to prevent further system instability, resulting in a denial-of-service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31935 results in a denial-of-service condition, effectively disabling the Suricata instance\u0026rsquo;s ability to perform network intrusion detection and prevention. This can leave networks unprotected from malicious traffic. The vulnerability can be triggered remotely without authentication, making it a readily exploitable threat. The precise number of affected Suricata deployments is unknown, but organizations relying on Suricata for network security monitoring are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all Suricata installations to version 7.0.15 or 8.0.4 or later to patch CVE-2026-31935.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious HTTP2 Continuation Frame Flooding\u0026rdquo; to monitor for potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor Suricata process health and resource consumption for unexpected spikes in memory usage that could indicate a denial-of-service attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T15:16:37Z","date_published":"2026-04-02T15:16:37Z","id":"/briefs/2026-04-suricata-http2-dos/","summary":"A denial of service vulnerability, CVE-2026-31935, exists in Suricata versions prior to 7.0.15 and 8.0.4, where flooding the system with crafted HTTP2 continuation frames leads to memory exhaustion and process termination.","title":"Suricata HTTP2 Continuation Frame Flooding Denial of Service (CVE-2026-31935)","url":"https://feed.craftedsignal.io/briefs/2026-04-suricata-http2-dos/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["denial-of-service","http2","netty","cve-2026-33871"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Netty HTTP/2 CONTINUATION Frame Flood vulnerability (CVE-2026-33871) allows a remote, unauthenticated user to trigger a Denial of Service (DoS) condition on a Netty-based HTTP/2 server. This is achieved by sending a flood of HTTP/2 \u003ccode\u003eCONTINUATION\u003c/code\u003e frames, each containing a zero-byte payload. The vulnerability exists because Netty\u0026rsquo;s \u003ccode\u003eDefaultHttp2FrameReader\u003c/code\u003e does not enforce a limit on the number of \u003ccode\u003eCONTINUATION\u003c/code\u003e frames it processes after receiving a \u003ccode\u003eHEADERS\u003c/code\u003e frame without the \u003ccode\u003eEND_HEADERS\u003c/code\u003e flag. The zero-byte payload bypasses the \u003ccode\u003emaxHeaderListSize\u003c/code\u003e protection, as this protection is only triggered when the added payload has a non-zero length. This forces the server to consume excessive CPU resources, monopolizing a connection thread and rendering the server unresponsive to legitimate requests. This vulnerability impacts Netty versions prior to 4.1.132.Final and versions between 4.2.0.Alpha1 and 4.2.10.Final.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker establishes a TCP connection to the targeted Netty HTTP/2 server.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP/2 \u003ccode\u003eHEADERS\u003c/code\u003e frame to initiate a new stream. The \u003ccode\u003eEND_HEADERS\u003c/code\u003e flag is deliberately omitted from this frame.\u003c/li\u003e\n\u003cli\u003eThe server, upon receiving the \u003ccode\u003eHEADERS\u003c/code\u003e frame without the \u003ccode\u003eEND_HEADERS\u003c/code\u003e flag, prepares to receive subsequent \u003ccode\u003eCONTINUATION\u003c/code\u003e frames.\u003c/li\u003e\n\u003cli\u003eThe attacker floods the server with a series of \u003ccode\u003eCONTINUATION\u003c/code\u003e frames, each containing a zero-byte payload. These frames are sent over the established TCP connection.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDefaultHttp2FrameReader\u003c/code\u003e processes each \u003ccode\u003eCONTINUATION\u003c/code\u003e frame, but the \u003ccode\u003everifyContinuationFrame()\u003c/code\u003e method fails to enforce a limit on the number of received frames.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eHeadersBlockBuilder.addFragment()\u003c/code\u003e method processes the zero-byte payload, bypassing the \u003ccode\u003emaxHeaderListSize\u003c/code\u003e protection. The server CPU continues to process the stream of \u003ccode\u003eCONTINUATION\u003c/code\u003e frames.\u003c/li\u003e\n\u003cli\u003eThe server exhausts CPU resources on the connection thread, as it is continuously processing the flood of \u003ccode\u003eCONTINUATION\u003c/code\u003e frames.\u003c/li\u003e\n\u003cli\u003eLegitimate users are unable to connect to the server or experience significant delays due to the server\u0026rsquo;s unresponsiveness. This leads to a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability leads to a CPU-based Denial of Service (DoS). All services using the vulnerable Netty HTTP/2 server implementation are susceptible. An unauthenticated attacker can exhaust server CPU resources, preventing legitimate users from accessing the service. The minimal bandwidth requirement for this attack makes it practical and scalable, allowing an attacker to disrupt services with limited resources. Successful exploitation results in service unavailability, impacting business operations and user experience.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Netty version 4.1.132.Final or 4.2.10.Final or later to patch CVE-2026-33871.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on HTTP/2 \u003ccode\u003eCONTINUATION\u003c/code\u003e frames to mitigate the impact of a flood attack. Consider implementing this at the application level if upgrading Netty is not immediately feasible.\u003c/li\u003e\n\u003cli\u003eMonitor CPU usage on servers running Netty HTTP/2 services. Alert on sustained high CPU usage, which may indicate an ongoing attack.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to detect potential exploitation attempts in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T18:51:14Z","date_published":"2026-03-26T18:51:14Z","id":"/briefs/2026-05-03-netty-http2-dos/","summary":"A denial of service vulnerability exists in Netty's HTTP/2 server implementation where an unauthenticated user can exhaust server CPU resources by sending a flood of CONTINUATION frames with zero-byte payloads, bypassing size-based mitigations and leading to service unavailability with minimal bandwidth usage; affected versions include netty-codec-http2 \u003c 4.1.132.Final and netty-codec-http2 versions \u003e= 4.2.0.Alpha1 and \u003c 4.2.10.Final.","title":"Netty HTTP/2 CONTINUATION Frame Flood Denial of Service","url":"https://feed.craftedsignal.io/briefs/2026-05-03-netty-http2-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Http2","version":"https://jsonfeed.org/version/1.1"}