Hyper is an HTTP library for Rust and h2 is an HTTP 2.0 client & server implementation for Rust. An issue was discovered in h2 v0.2.4 when processing header frames. It incorrectly processes the HTTP2 RST_STREAM frames by not always releasing the memory immediately upon receiving the reset frame, leading to stream stacking. As a result, the memory and CPU usage are high which can lead to a Denial of Service (DoS).

This issue affects users only when dealing with http2 connections.

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-26964
• hyperium/hyper#2877
• hyperium/h2#621
• hyperium/h2#668
• https://rustsec.org/advisories/RUSTSEC-2023-0034.html