Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Wed, 01 Jul 2026 19:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
cvssV3_1
|
Wed, 01 Jul 2026 17:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Allocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement causes the configured header list size limit to be applied. | |
| Title | Apache HttpComponents Core: HPackDecoder Unlimited Header List Size Before SETTINGS ACK | |
| Weaknesses | CWE-400 CWE-770 |
|
| References |
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: apache
Published:
Updated: 2026-07-01T18:15:56.634Z
Reserved: 2026-06-14T09:39:30.814Z
Link: CVE-2026-54428
Updated: 2026-07-01T17:36:48.420Z
No data.
No data.
OpenCVE Enrichment
No data.