CVE Catalog

CVE-2026-35469

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.66%

47th percentile - higher than 47% of all known CVEs

Summary

The spdystream library in versions 0.5.0 and below does not validate attacker-controlled counts and lengths before memory allocation in the SPDY/3 frame parser. An attacker can send a single crafted control frame that, after zlib decompression, exhausts process memory and causes an out-of-memory crash.

Risk Assessment

The organization is exposed to a remote DoS (denial of service) attack from any peer that can send SPDY frames to a service using the vulnerable library. A single frame can cause immediate memory exhaustion and process crash.

Recommendation

Immediately update the spdystream library to version 0.5.1 or later, which includes a fix for memory allocation size validation.

Original NVD description (English source)

spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count, the header count in parseHeaderValueBlock, and individual header field sizes — all read as 32-bit integers and used directly as allocation sizes with no bounds checking. Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into large attacker-controlled values. A remote peer that can send SPDY frames to a service using spdystream can exhaust process memory and cause an out-of-memory crash with a single crafted control frame. This issue has been fixed in version 0.5.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS