ALPINE-CVE-2023-35945
Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the `GOAWAY` frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return [code path] is taken if connection is already marked for not sending more requests due to `GOAWAY` frame. The clean-up code is right after the return statement, causing memory leak. Denial of service through memory exhaustion. This vulnerability was patched in versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Alpine:v3.15 | nghttp2 | 0, 1.9.2-r0, 1.9.1-r0 |
| Alpine:v3.16 | nghttp2 | 1.43.0-r0, 1.44.0-r0, 1.44.0-r1 |
| Alpine:v3.17 | nghttp2 | 1.7.0-r0, 1.33.0-r0, 1.7.0-r0 |
Timeline
- Jul 13, 2023 CVE Published
- Apr 30, 2026 Distribution Patch
- Jun 15, 2026 CVE Updated