CVE-2026-35469

UNKNOWN 0.0

SpdyStream: DOS on CRI

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count, the header count in parseHeaderValueBlock, and individual header field sizes — all read as 32-bit integers and used directly as allocation sizes with no bounds checking. Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into large attacker-controlled values. A remote peer that can send SPDY frames to a service using spdystream can exhaust process memory and cause an out-of-memory crash with a single crafted control frame. This issue has been fixed in version 0.5.1.

CWE	CWE-770
Vendor	moby
Product	spdystream
Published	Apr 16, 2026

Stay Ahead of the Next One

Get instant alerts for moby spdystream

Be the first to know when new unknown vulnerabilities affecting moby spdystream are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

moby / spdystream

< 0.5.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/moby/spdystream/security/advisories/GHSA-pc3f-x583-g7j2 github.com: https://github.com/moby/spdystream/releases/tag/v0.5.1