Impact
nghttp2 fails to release memory when PUSH_PROMISE or HEADERS frame cannot be sent, and nghttp2_on_stream_close_callback fails with a fatal error. For example, if GOAWAY frame has been received, a HEADERS frame that opens new stream cannot be sent.
This issue has been made public via GHSA-jfxv-29pc-x22r, but it does not include nghttp2 in the affected products. This adovisory is retroactively published to cover nghttp2 as an affected product.
Patches
nghttp2 v1.55.1 or later mitigates this vulnerability.
Workarounds
Do not return a fatal error from nghttp2_on_stream_close_callback.
References
The following commit mitigates this vulnerability:
Impact
nghttp2 fails to release memory when PUSH_PROMISE or HEADERS frame cannot be sent, and nghttp2_on_stream_close_callback fails with a fatal error. For example, if GOAWAY frame has been received, a HEADERS frame that opens new stream cannot be sent.
This issue has been made public via GHSA-jfxv-29pc-x22r, but it does not include nghttp2 in the affected products. This adovisory is retroactively published to cover nghttp2 as an affected product.
Patches
nghttp2 v1.55.1 or later mitigates this vulnerability.
Workarounds
Do not return a fatal error from nghttp2_on_stream_close_callback.
References
The following commit mitigates this vulnerability: