Vulnetix
Try Vulnetix Request Demo
CVE-2025-8671 PUBLISHED CVSS 9.300000190734863 CRITICAL

A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). By opening streams and then rapidly triggering the server to reset them—using malformed frames or flow control errors—an attacker can exploit incorrect stream accounting. Streams reset by the server are considered closed at the protocol level, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent streams on a single connection. This CVE will be updated as affected product details are released.

EPSS 0.54% · 67.4th percentile

Risk Scores

CVSS v4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS Score
0.54%
67.4th percentile

Affected Products

VendorProductVersions
SUSE LinuxEnterprise Server12 SP5
SUSE LinuxSUSE Manager Server4.3
SUSE LinuxEnterprise Module for Development Tools15 SP2
SUSE LinuxSUSE Manager Server LTS4.3
SUSE LinuxSUSE Manager Retail Branch Server4.3
SUSE LinuxEnterprise Module for Package Hub15 SP5
SUSE LinuxSUSE Manager Proxy4.3
SUSE LinuxEnterprise Desktop15 SP6
SUSE LinuxEnterprise Module for Dev Tools15 SP3
Varnish SoftwareVarnish Cache5.x, 6.0LTS
SUSE LinuxEnterprise Server for SAP Applications15 SP6
SUSE LinuxEnterprise High Performance Computing (HPC)15
SUSE LinuxopenSUSE Leap15.6
SUSE LinuxEnterprise High Performance Computing15 SP3
FastlyH20579ecfa
Wind RiverLinuxLTS22
Varnish SoftwareVarnish Enterprise6.0.x

Timeline

References

Open in Interactive Console →