CVE Catalog

CVE-2026-54428

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.41%

33th percentile — higher than 33% of all known CVEs

Summary

A vulnerability in the HTTP/2 HPACK decoder in Apache HttpComponents Core (versions 5.4.2 and earlier, 5.5-beta1 and earlier) allows a remote attacker to cause a denial of service through memory exhaustion by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement applies the configured header list size limit.

Risk Assessment

The organization is at risk of a DoS attack that can render services based on Apache HttpComponents Core unavailable, leading to application downtime and potential financial losses.

Recommendation

Immediately upgrade Apache HttpComponents Core to version 5.4.3 or later (or 5.5-beta2), which includes a fix to limit header size before HTTP/2 SETTINGS acknowledgement.

Original NVD description (English source)

Allocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement causes the configured header list size limit to be applied.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS