Allocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement causes the configured header list size limit to be applied.
References
| Link | Resource |
|---|---|
| https://lists.apache.org/thread/5zjp8vczvxq19pw2rvhs21q446bhl0sd | Mitigation Vendor Advisory |
| http://www.openwall.com/lists/oss-security/2026/07/01/3 | Mitigation Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
06 Jul 2026, 18:47
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://lists.apache.org/thread/5zjp8vczvxq19pw2rvhs21q446bhl0sd - Mitigation, Vendor Advisory | |
| References | () http://www.openwall.com/lists/oss-security/2026/07/01/3 - Mitigation, Third Party Advisory | |
| CPE | cpe:2.3:a:apache:httpcomponents_core:*:*:*:*:*:*:*:* cpe:2.3:a:apache:httpcomponents_core:5.5:beta1:*:*:*:*:*:* cpe:2.3:a:apache:httpcomponents_core:5.5:alpha1:*:*:*:*:*:* |
|
| First Time |
Apache httpcomponents Core
Apache |
01 Jul 2026, 19:16
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
01 Jul 2026, 18:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-07-01 18:16
Updated : 2026-07-06 18:47
NVD link : CVE-2026-54428
Mitre link : CVE-2026-54428
CVE.ORG link : CVE-2026-54428
JSON object : View
Products Affected
apache
- httpcomponents_core
