What is CVE-2024-27316?

CVE-2024-27316 is a vulnerability in Apache Software Foundation Http Server, classified under Allocation of Resources Without Limits or Throttling. Published 2024-04-04.

Is CVE-2024-27316 known to be exploited?

13 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Resource exhaustion in Apache Software Foundation Http Server

CVE-2024-27316

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.

EPSS: 0.876 (99.5th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Http Server — versions 2.4.17

Weakness classification (CWE)

CWE-770 — Allocation of Resources Without Limits or Throttling

Public proof-of-concept exploits

lockness-Ko/CVE-2024-27316
aeyesec/CVE-2024-27316_poc
Ampferl/poc_
DrewskyDev/H2Flood
EzeTauil/Maquina-Upload
NeoOniX/5ATTACK
Vos68/HTTP2-Continuation-Flood-PoC
aeyesec/CVE-2024-27316_
cyb3r-w0lf/nuclei-template-collection
dusbot/cpe2cve

References

httpd.apache.org/security/vulnerabilities_24.html (vendor-advisory)
www.openwall.com/lists/oss-security/2024/04/03/16
www.openwall.com/lists/oss-security/2024/04/04/4
support.apple.com/kb/HT214119
seclists.org/fulldisclosure/2024/Jul/18

Frequently asked questions

What is CVE-2024-27316?: CVE-2024-27316 is a vulnerability in Apache Software Foundation Http Server, classified under Allocation of Resources Without Limits or Throttling. Published 2024-04-04.
Is CVE-2024-27316 known to be exploited?: 13 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.