medium
5.3
CWE
770
Advisory Published
Advisory Published
Updated

CVE-2022-41717: Excessive memory growth in net/http and golang.org/x/net/http2

First published: Thu Dec 08 2022(Updated: )

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

Credit: security@golang.org security@golang.org security@golang.org

Affected SoftwareAffected VersionHow to fix
go/golang.org/x/net<0.4.0
0.4.0
go/golang.org/x/net/http2<0.4.0
0.4.0
redhat/golang<1.19.4
1.19.4
redhat/golang<1.18.9
1.18.9
debian/golang-1.15<=1.15.15-1~deb11u4
debian/golang-1.19
1.19.8-2
debian/golang-golang-x-net<=1:0.0+git20210119.5f4716e+dfsg-4
1:0.7.0+dfsg-1
1:0.27.0-1
IBM Data Virtualization on Cloud Pak for Data<=3.0
IBM Watson Query with Cloud Pak for Data<=2.2
IBM Watson Query with Cloud Pak for Data<=2.1
IBM Watson Query with Cloud Pak for Data<=2.0
IBM Data Virtualization on Cloud Pak for Data<=1.8
IBM Data Virtualization on Cloud Pak for Data<=1.7
Golang<1.18.9
Golang>=1.19.0<1.19.4
Go HTTP/2<0.4.0
Fedora=37
Fedora=38

Remedy

https://go.dev/cl/455635

Remedy

https://go.dev/cl/455717

Remedy

https://go.dev/issue/56350

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is the severity of CVE-2022-41717?

    The severity of CVE-2022-41717 is medium with a severity value of 5.3.

  • How does CVE-2022-41717 affect Go server?

    CVE-2022-41717 can cause excessive memory growth in a Go server accepting HTTP/2 requests.

  • What can an attacker do with CVE-2022-41717?

    An attacker exploiting CVE-2022-41717 can cause the server to allocate excessive memory by sending very large keys.

  • Which versions of Golang are affected by CVE-2022-41717?

    Versions up to and exclusive of 1.18.9 and versions between inclusive and exclusive of 1.19.0 to 1.19.4 are affected by CVE-2022-41717.

  • How can I fix CVE-2022-41717?

    To fix CVE-2022-41717, update to Golang version 1.18.9 or 1.19.4, depending on your current version.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203