{"id":"GO-2022-0536","summary":"Reset flood in net/http and golang.org/x/net/http","details":"Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service.\n\nServers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.","aliases":["CVE-2019-9512","CVE-2019-9514","GHSA-39qc-96h7-956f","GHSA-hgr8-6h9x-f7q9"],"modified":"2026-03-17T04:21:01.509552Z","published":"2022-08-01T22:20:53Z","related":["CGA-hxrg-2m2v-635r"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0536","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://go.dev/cl/190137"},{"type":"FIX","url":"https://go.googlesource.com/go/+/145e193131eb486077b66009beb051aba07c52a5"},{"type":"REPORT","url":"https://go.dev/issue/33606"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/65QixT3tcmg/m/DrFiG6vvCwAJ"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.11.13"},{"introduced":"1.12.0-0"},{"fixed":"1.12.8"}]}],"ecosystem_specific":{"imports":[{"symbols":["http2serverConn.scheduleFrameWrite","http2serverConn.serve","http2serverConn.writeFrame"],"path":"net/http"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-0536.json"}},{"package":{"name":"golang.org/x/net","ecosystem":"Go","purl":"pkg:golang/golang.org/x/net"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.0.0-20190813141303-74dc4d7220e7"}]}],"ecosystem_specific":{"imports":[{"symbols":["Server.ServeConn","serverConn.scheduleFrameWrite","serverConn.serve","serverConn.writeFrame"],"path":"golang.org/x/net/http2"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-0536.json"}}],"schema_version":"1.7.5","credits":[{"name":"Jonathan Looney of Netflix"}]}