Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-54428
PUBLISHED
More InfoOfficial Page
Assigner-apache
Assigner Org ID-f0158376-9dc2-43b6-827c-5f631a4d8d09
View Known Exploited Vulnerability (KEV) details
Published At-01 Jul, 2026 | 17:03
Updated At-01 Jul, 2026 | 18:15
Rejected At-
▼CVE Numbering Authority (CNA)
Apache HttpComponents Core: HPackDecoder Unlimited Header List Size Before SETTINGS ACK

Allocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement causes the configured header list size limit to be applied.

Affected Products
Vendor
The Apache Software FoundationApache Software Foundation
Product
Apache HttpComponents Core
Collection URL
https://repo.maven.apache.org/maven2/
Package Name
org.apache.httpcomponents.core5:httpcore5-h2
Default Status
unaffected
Versions
Affected
  • From 5.5-alpha through 5.5-beta1 (maven)
  • From 5.0-alpha through 5.4.2 (maven)
Problem Types
TypeCWE IDDescription
CWECWE-770CWE-770: Allocation of Resources Without Limits or Throttling
CWECWE-400CWE-400: Uncontrolled Resource Consumption
Type: CWE
CWE ID: CWE-770
Description: CWE-770: Allocation of Resources Without Limits or Throttling
Type: CWE
CWE ID: CWE-400
Description: CWE-400: Uncontrolled Resource Consumption
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Textual description of severity
text:
Important
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Henry Huang <zhuang3@paypal.com>
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://lists.apache.org/thread/5zjp8vczvxq19pw2rvhs21q446bhl0sd
vendor-advisory
Hyperlink: https://lists.apache.org/thread/5zjp8vczvxq19pw2rvhs21q446bhl0sd
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
http://www.openwall.com/lists/oss-security/2026/07/01/3
N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2026/07/01/3
Resource: N/A
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Details not found