DEBIAN-CVE-2026-35469
spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count, the header count in parseHeaderValueBlock, and individual header field sizes — all read as 32-bit integers and used directly as allocation sizes with no bounds checking. Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into large attacker-controlled values. A remote peer that can send SPDY frames to a service using spdystream can exhaust process memory and cause an out-of-memory crash with a single crafted control frame. This issue has been fixed in version 0.5.1.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian | golang-github-docker-spdystream | |
| Debian:14 | golang-github-docker-spdystream | 0, 0.5.0-1, 0 |
| Debian:12 | golang-github-docker-spdystream | 0.5.0-1, 0.2.0-1, 0.5.0-1 |
| Debian:13 | golang-github-docker-spdystream | 0, 0, 0.5.0-1 |
| Debian:11 | golang-github-docker-spdystream | 0, 0.5.0-1, 0.2.0-1 |
Exploit Intelligence
- CVE-2026-35469.json (github-poc)
- GHSA-pc3f-x583-g7j2.json (github-poc)
- CHANGELOG-v1.75.7.yml (github-poc)
Timeline
- Apr 16, 2026 CVE Published
- Apr 28, 2026 CVE Updated