DEBIAN-CVE-2018-16844

DEBIAN-CVE-2018-16844 PUBLISHED CVSS 7.5 HIGH

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file.

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

Vendor	Product	Versions
Debian:12	nginx	0, 0, 0
Debian:13	nginx	0, 0, 0
Debian:14	nginx	0, 0, 0
Debian:11	nginx	0, 0, 0

Exploit Intelligence

based on nginx 1.19.5 to fix for CVE-2018-16843, CVE-2018-16844, CVE-2019-9511, CVE-2019-9513, and CVE-2019-9516 (github-poc-repo)
cve_db.json (github-poc)
GenerationConfig.java (github-poc)
SelfAdaptationGenerationConfig.java (github-poc)

Timeline

Nov 7, 2018 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2018-16844 advisory

Open in Interactive Console →