GHSA-xrjj-mj9h-534m · Severity: medium · Ecosystem: go — golang.org/x/net/http2 vulnerable to possible excessive memory growth
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
Conclusion & alert: CVE-2022-41717 is rated Moderate Risk (40.6/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 0.33%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-02-17 | 0.39% | 0.33% | -0.06% |
| 2 | 2026-02-05 | 0.53% | 0.39% | -0.14% |
| 3 | 2026-02-04 | — | 0.53% | — |
Full EPSS history (30 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.3 | 3.1 | MEDIUM |
|
3.9 | 1.4 | [email protected] |
GHSA-xrjj-mj9h-534m · Severity: medium · Ecosystem: go — golang.org/x/net/http2 vulnerable to possible excessive memory growth
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2022-41717: 2 source package rows (go, minio-client); 70 state rows across 7 repos (3.17-community, 3.18-community, 3.19-community, 3.20-community, 3.21-community, 3.22-community, edge-community); fixed 70, open 0. | https://security.alpinelinux.org/vuln/CVE-2022-41717 |
debian
|
not yet assigned | CVE-2022-41717 not yet assigned priority: Debian including 3 source packages (golang-1.15, golang-1.19, golang-golang-x-net), 7 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5, open 2. | https://security-tracker.debian.org/tracker/CVE-2022-41717 |
gentoo
|
low | CVE-2022-41717: 3 GLSA(s) (202311-09, 202409-28, 202409-29), 3 atom(s) (app-admin/consul, app-containers/docker, dev-lang/go); latest impact low. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2022-41717 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2022-41717 |
suse
|
high | CVE-2022-41717 severity important: SUSE including 87 source package names (1.18-18.52:go1.18-1.18.9-150000.1.40.1, aardvark-dns-1.5.0-2.module+el8.8.0+18060+3f21f2cc, …), 162 product×package rows across 20 product lines (Container bci/golang, SUSE Enterprise Storage 7.1, … (20 product lines)): Fixed 162. | https://www.suse.com/security/cve/CVE-2022-41717/ |
ubuntu
|
medium | CVE-2022-41717 medium priority: Ubuntu including 10 source packages (golang, golang-1.10, …), 82 status rows across 13 suites (bionic, focal, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 45, needs-triage 13, released 10, ignored 9, needed 5. | https://ubuntu.com/security/CVE-2022-41717 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| golang | go | < 1.18.9 | cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* |
| golang | go | >= 1.19.0, < 1.19.4 | cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* |
| golang | http2 | < 0.4.0 | cpe:2.3:a:golang:http2:*:*:*:*:*:go:*:* |
| fedoraproject | fedora | 37 | cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* |
| fedoraproject | fedora | 38 | cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:* |