7.5

CVE-2025-8671

A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS).  By opening streams and then rapidly triggering the server to reset them—using malformed frames or flow control errors—an attacker can exploit incorrect stream accounting. Streams reset by the server are considered closed at the protocol level, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent streams on a single connection. This CVE will be updated as affected product details are released.

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
VendorSUSE Linux
Product Enterprise Module for Development Tools
Version < 15-SP5
Version 15 SP2
Status affected
VendorSUSE Linux
Product Enterprise High Performance Computing (HPC)
Version < 15 SP5
Version 15
Status affected
VendorVarnish Software
Product Varnish Enterprise
Version <= 6.0.14r4
Version 6.0.x
Status affected
VendorVarnish Software
Product Varnish Cache
Version <= 6.014
Version 6.0LTS
Status affected
VendorVarnish Software
Product Varnish Cache
Version <= 7.71
Version 5.x
Status affected
VendorFastly
Product H20
Version 579ecfa
Status affected
VendorWind River
Product Linux
Version <= TLS25
Version LTS22
Status affected
VendorSUSE Linux
Product Enterprise Desktop
Version < 15 SP7
Version 15 SP6
Status affected
VendorSUSE Linux
Product Enterprise High Performance Computing
Version < 15 SP7
Version 15 SP3
Status affected
VendorSUSE Linux
Product Enterprise Module for Dev Tools
Version < 15 SP7
Version 15 SP3
Status affected
VendorSUSE Linux
Product Enterprise Module for Package Hub
Version < 15 SP7
Version 15 SP5
Status affected
VendorSUSE Linux
Product Enterprise Server
Version < 15 SP7
Version 12 SP5
Status affected
VendorSUSE Linux
Product Enterprise Server for SAP Applications
Version < 15 SP7
Version 15 SP6
Status affected
VendorSUSE Linux
Product SUSE Manager Server
Version 4.3
Status affected
VendorSUSE Linux
Product SUSE Manager Server LTS
Version 4.3
Status affected
VendorSUSE Linux
Product SUSE Manager Proxy
Version 4.3
Status affected
VendorSUSE Linux
Product SUSE Manager Retail Branch Server
Version 4.3
Status affected
VendorSUSE Linux
Product openSUSE Leap
Version 15.6
Status affected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.08% 0.253
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-404 Improper Resource Shutdown or Release

The product does not release or incorrectly releases a resource before it is made available for re-use.