VDB

CISA-2025-8671

CISA-2025-8671 PUBLISHED CVSS 7.5 HIGH

Reported by certcc · Published August 13, 2025

A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). By opening streams and then rapidly triggering the server to reset them—using malformed frames or flow control errors—an attacker can exploit incorrect stream accounting. Streams reset by the server are considered closed at the protocol level, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent streams on a single connection. This CVE will be updated as affected product details are released.

Risk Scores

CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

VendorProductVersions
SUSE LinuxEnterprise Module for Development Tools15 SP2
SUSE LinuxEnterprise High Performance Computing (HPC)15
Varnish SoftwareVarnish Enterprise6.0.x
Varnish SoftwareVarnish Cache6.0LTS
Varnish SoftwareVarnish Cache5.x
FastlyH20579ecfa
Wind RiverLinuxLTS22
SUSE LinuxEnterprise Desktop15 SP6
SUSE LinuxEnterprise High Performance Computing15 SP3
SUSE LinuxEnterprise Module for Dev Tools15 SP3
SUSE LinuxEnterprise Module for Package Hub15 SP5
SUSE LinuxEnterprise Server12 SP5
SUSE LinuxEnterprise Server for SAP Applications15 SP6
SUSE LinuxSUSE Manager Server4.3
SUSE LinuxSUSE Manager Server LTS4.3
SUSE LinuxSUSE Manager Proxy4.3
SUSE LinuxSUSE Manager Retail Branch Server4.3
SUSE LinuxopenSUSE Leap15.6
SUSE LinuxEnterprise Module for Package Hub15 SP5, 15 SP5
SUSE LinuxEnterprise Module for Dev Tools15 SP3, 15 SP3

…and 15 more

Timeline

  • Aug 13, 2025 CVE Published
  • Nov 4, 2025 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›