GrepRules
Sign inPublish rule
Explore/cve-2026-40898-unbounded-http-header-decode-loop

CVE-2026-40898: Unbounded Http Header Decode Loop

A loop continuously decodes protocol items (e.g., HTTP QPACK/HPACK headers) and adds them to a collection without updating or checking a size threshold limit. A malicious endpoint can send an excessively large sequence of headers, leading to unbounded memory allocation and a Denial of Service (OOM) attack. Enforce memory limits by tracking the byte size or c

Provally CuratedPublic repositoryMediumMedium confidenceVerifiedApache-2.0Goβ
greprules fetch cve-2026-40898-unbounded-http-header-decode-loop --engine opengrep

Description

A loop continuously decodes protocol items (e.g., HTTP QPACK/HPACK headers) and adds them to a collection without updating or checking a size threshold limit. A malicious endpoint can send an excessively large sequence of headers, leading to unbounded memory allocation and a Denial of Service (OOM) attack. Enforce memory limits by tracking the byte size or c

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Quality signals
145 downloads0 direct145 via packs
· 0 stars · Quality score 73How quality works
Included packs
2 packs