CVE-2016-6580
Severity CVSS v4.0:
Pending analysis
Type:
CWE-399
Resource Management Errors
Publication date:
10/01/2017
Last modified:
20/04/2025
Description
A HTTP/2 implementation built using any version of the Python priority library prior to version 1.2.0 could be targeted by a malicious peer by having that peer assign priority information for every possible HTTP/2 stream ID. The priority tree would happily continue to store the priority information for each stream, and would therefore allocate unbounded amounts of memory. Attempting to actually use a tree like this would also cause extremely high CPU usage to maintain the tree.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Base Score 2.0
5.00
Severity 2.0
MEDIUM
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:a:python:python_priority_library:1.0.0:*:*:*:*:*:*:* | ||
cpe:2.3:a:python:python_priority_library:1.1.0:*:*:*:*:*:*:* | ||
cpe:2.3:a:python:python_priority_library:1.1.1:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page