ALPINE-CVE-2022-41556 — Vulnetix

Try Vulnetix Request Demo

ALPINE-CVE-2022-41556 PUBLISHED CVSS 7.5 HIGH

A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67.

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

Vendor	Product	Versions
Alpine:v3.21	lighttpd	1.4.35-r2, 1.4.66-r0, 1.4.65-r1
Alpine:v3.22	lighttpd	1.4.20-r2, 1.4.66-r0, 1.4.65-r1
Alpine:v3.19	lighttpd	1.4.30-r3, 1.4.28-r4, 1.4.20-r1
Alpine:v3.23	lighttpd	1.4.39-r1, 1.4.61-r0, 1.4.60-r0
Alpine:v3.18	lighttpd	1.4.25-r2, 1.4.26-r1, 1.4.30-r2
Alpine:v3.17	lighttpd	0, 1.4.66-r0, 1.4.65-r1
Alpine:v3.20	lighttpd	1.4.20-r1, 1.4.66-r0, 1.4.65-r1
Alpine:v3.16	lighttpd	1.4.56-r0, 1.4.45-r0, 1.4.44-r0
Alpine:v3.15	lighttpd	1.4.35-r1, 1.4.35-r0, 1.4.34-r1

Timeline

Oct 6, 2022 CVE Published
Dec 3, 2025 CVE Updated
Apr 30, 2026 Distribution Patch

References

https://security.alpinelinux.org/vuln/CVE-2022-41556 advisory

Open in Interactive Console →