DEBIAN-CVE-2019-9516

DEBIAN-CVE-2019-9516 PUBLISHED CVSS 6.5 MEDIUM

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.

Risk Scores

CVSS 3.1

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Products

Vendor	Product	Versions
Debian:12	nginx	0, 0, 0
Debian:13	nginx	0, 0, 0
Debian:11	nginx	0, 0, 0
Debian:14	nginx	0, 0, 0

Exploit Intelligence

based on nginx 1.19.5 to fix for CVE-2018-16843, CVE-2018-16844, CVE-2019-9511, CVE-2019-9513, and CVE-2019-9516 (github-poc-repo)
sec-build.yaml (github-poc)
GenerationConfig.java (github-poc)
SelfAdaptationGenerationConfig.java (github-poc)

Timeline

Aug 13, 2019 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2019-9516 advisory

Open in Interactive Console →