CVE-2026-54428
Apache HttpComponents Core: HPackDecoder Unlimited Header List Size Before SETTINGS ACK
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
Allocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement causes the configured header list size limit to be applied.
| CWE | CWE-770 CWE-400 |
| Vendor | apache software foundation |
| Product | apache httpcomponents core |
| Published | Jul 1, 2026 |
| Last Updated | Jul 1, 2026 |
Stay Ahead of the Next One
Get instant alerts for apache software foundation apache httpcomponents core
Be the first to know when new high vulnerabilities affecting apache software foundation apache httpcomponents core are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Apache Software Foundation / Apache HttpComponents Core
5.5-alpha โค 5.5-beta1 5.0-alpha โค 5.4.2
References
Credits
Henry Huang <[email protected]>