CVE-2026-54428

NameCVE-2026-54428
DescriptionAllocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement causes the configured header list size limit to be applied.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
httpcomponents-core (PTS)bullseye4.4.14-1vulnerable
forky, sid, bookworm, trixie4.4.16-1vulnerable
httpcomponents-core5 (PTS)bookworm5.2.1-1vulnerable
trixie5.2.2-1vulnerable
forky, sid5.4.2-1.1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
httpcomponents-coresource(unstable)(unfixed)
httpcomponents-core5source(unstable)(unfixed)

Notes

https://www.openwall.com/lists/oss-security/2026/07/01/3
v4 possibly not affected, needs further validation once fix is identified

Search for package or bug name: Reporting problems