CVE-2024-1635
Undertow: out-of-memory error after several closed connections with wildfly-http-client protocol
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.
| CWE | CWE-400 |
| Published | Feb 19, 2024 |
| Last Updated | Mar 17, 2026 |
Stay Ahead of the Next One
Get instant alerts for
Be the first to know when new high vulnerabilities are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
Red Hat / Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2
All versions affected Red Hat / Red Hat Fuse 7.13.0
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
All versions affected Red Hat / Red Hat Single Sign-On 7.6 for RHEL 7
All versions affected Red Hat / Red Hat Single Sign-On 7.6 for RHEL 8
All versions affected Red Hat / Red Hat Single Sign-On 7.6 for RHEL 9
All versions affected Red Hat / RHEL-8 based Middleware Containers
All versions affected Red Hat / RHSSO 7.6.8
All versions affected Red Hat / OpenShift Serverless
All versions affected Red Hat / Red Hat build of Apache Camel 4 for Quarkus 3
All versions affected Red Hat / Red Hat build of Apache Camel for Spring Boot 3
All versions affected Red Hat / Red Hat build of Apache Camel for Spring Boot 4
All versions affected Red Hat / Red Hat build of Apicurio Registry 2
All versions affected Red Hat / Red Hat Build of Keycloak
All versions affected Red Hat / Red Hat build of OptaPlanner 8
All versions affected Red Hat / Red Hat build of Quarkus
All versions affected Red Hat / Red Hat build of Quarkus
All versions affected Red Hat / Red Hat Data Grid 8
All versions affected Red Hat / Red Hat Integration Camel K 1
All versions affected Red Hat / Red Hat Integration Camel Quarkus 2
All versions affected Red Hat / Red Hat JBoss Data Grid 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8
All versions affected Red Hat / Red Hat JBoss Fuse Service Works 6
All versions affected Red Hat / Red Hat Process Automation 7
All versions affected Red Hat / streams for Apache Kafka
All versions affected References
access.redhat.com: https://access.redhat.com/errata/RHSA-2024:1674 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:1675 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:1676 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:1677 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:1860 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:1861 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:1862 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:1864 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:1866 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:3354 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:4884 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:4226 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:9583 access.redhat.com: https://access.redhat.com/security/cve/CVE-2024-1635 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2264928 security.netapp.com: https://security.netapp.com/advisory/ntap-20240322-0007/