Resource exhaustion in Moby Spdystream

CVE-2026-35469

spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are a…

EPSS: 0.000 (8.7th percentile) — read the EPSS interpretation.

Affected products

Moby Spdystream — versions < 0.5.1

Weakness classification (CWE)

CWE-770 — Allocation of Resources Without Limits or Throttling

References

https://github.com/moby/spdystream/security/advisories/GHSA-pc3f-x583-g7j2 (x_refsource_CONFIRM)
https://github.com/moby/spdystream/releases/tag/v0.5.1 (x_refsource_MISC)