Description
Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.
Remediation
References
Related Vulnerabilities
CakePHP Improper Input Validation Vulnerability (CVE-2010-4335)
WordPress Plugin Drop Shadow Boxes Security Bypass (1.7.1)
Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-3553)
SharePoint Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2013-5059)
Cherokee Improper Input Validation Vulnerability (CVE-2009-4489)