๐Ÿ” CVE Alert

CVE-2026-54428

HIGH 7.5

Apache HttpComponents Core: HPackDecoder Unlimited Header List Size Before SETTINGS ACK

CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th

Allocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement causes the configured header list size limit to be applied.

CWE CWE-770 CWE-400
Vendor apache software foundation
Product apache httpcomponents core
Published Jul 1, 2026
Last Updated Jul 1, 2026
Stay Ahead of the Next One

Get instant alerts for apache software foundation apache httpcomponents core

Be the first to know when new high vulnerabilities affecting apache software foundation apache httpcomponents core are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Apache Software Foundation / Apache HttpComponents Core
5.5-alpha โ‰ค 5.5-beta1 5.0-alpha โ‰ค 5.4.2

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
lists.apache.org: https://lists.apache.org/thread/5zjp8vczvxq19pw2rvhs21q446bhl0sd openwall.com: http://www.openwall.com/lists/oss-security/2026/07/01/3

Credits

Henry Huang <[email protected]>