CVE-2026-54428

Summary

Allocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement causes the configured header list size limit to be applied.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache HttpComponents Core5.5-alpha <= 5.5-beta1affected
Apache Software FoundationApache HttpComponents Core5.0-alpha <= 5.4.2affected

Weaknesses

  • CWE-770: CWE-770: Allocation of Resources Without Limits or Throttling
  • CWE-400: CWE-400: Uncontrolled Resource Consumption

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References