CISA Issues HTTP/2 DoS Alert for Stalled Flow-Control Buffering
A denial-of-service vulnerability affects some HTTP/2 server implementations when response data is buffered while flow control is stalled. A remote, unauthenticated attacker can trigger memory exhaustion and service interruption by using standard flow-control parameters, including SETTINGS_INITIAL_WINDOW_SIZE = 0, to stall outbound data across multiple simultaneous request streams.
The issue is tied to how HTTP/2 flow control regulates data transmission using client-advertised window sizes for the maximum volume of unacknowledged data in transit. A client can stall outbound flow control by withholding WINDOW_UPDATE frames or by advertising SETTINGS_INITIAL_WINDOW_SIZE = 0. In some implementations, the server continues processing requests and generating complete response bodies despite being unable to transmit them, leaving the response data buffered in memory. Each stalled stream retains its allocated buffer until the connection closes or a timeout occurs. The advisory lists CVE-2026-59762, CVE-2026-59173, and CVE-2026-44909, and cites RFC 9113 and an F5 article (K000162231).
A remote, unauthenticated attacker can cause denial-of-service conditions on affected HTTP/2 server implementations. Under high resource limits, an attacker may induce unbounded memory amplification resulting in OOM kills, severe swap thrashing, or full system unresponsiveness. Under default or lower limits, the attack can exhaust available connections or worker resources, temporarily preventing new clients from establishing sessions and degrading overall service availability.
Several vendors have addressed the vulnerability in recent updates, with individual CVEs and remediation details referenced in the Vendor Information section. The advisory also states that implementations that enforce memory ceilings, restrict concurrent stream counts, and actively terminate stalled connections can substantially reduce the risk of denial-of-service conditions.
Thanks to the Okta Red Team for researching and reporting this vulnerability, and the document was written by Molly Jaconski.