CVE-2026-10725: 
Linux Debian Analyse et atténuation des vulnérabilités

CVE-2026-10725 is an HTTP/2 Bomb (data amplification) vulnerability in the Perl module Protocol::HTTP2, affecting all versions through 1.12. The flaw allows an unauthenticated remote attacker to send a small, specially crafted HTTP/2 request that expands into large server memory consumption, causing a denial of service. It was disclosed on June 6, 2026 by Robert Rothenberg via the CPAN Security Group and the oss-security mailing list, with a fix released in version 1.13. The vulnerability carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, oss-security).

The root cause is classified as CWE-409 (Improper Handling of Highly Compressed Data / Data Amplification). Protocol::HTTP2's inbound HPACK header decompression path lacks any header-list size limit enforcement: the headers_decode method materializes a full key+value copy for every indexed reference without a running size check, and the stream_header_block_add method (introduced in version 1.12) appends every CONTINUATION frame to the per-stream buffer without any bound. Although MAX_HEADER_LIST_SIZE (default 65536) is advertised in the HTTP/2 SETTINGS frame, it is never consulted during decoding and is absent from both the decoder logic and the :limits export tag. The vulnerable code paths are located in lib/Protocol/HTTP2/HeaderCompression.pm (line 133) and lib/Protocol/HTTP2/Stream.pm (line 414) (GitHub Advisory, oss-security).

Successful exploitation causes a denial of service by exhausting server memory. An unauthenticated attacker can send a compact HTTP/2 request with heavily indexed HPACK headers and/or chained CONTINUATION frames that decompress into arbitrarily large in-memory structures, degrading or crashing the affected Perl service. There is no confidentiality or integrity impact; the vulnerability is limited to availability (GitHub Advisory, oss-security).

The primary remediation is to upgrade Protocol::HTTP2 to version 1.13 or later, which implements proper header-list size limits in the HPACK decoder (metacpan 1.13). For systems that cannot immediately upgrade, the CPAN Security Group has published patches: CVE-2026-10725-r1.patch and CVE-2026-10725-r2.patch, available at https://security.metacpan.org/patches/P/Protocol-HTTP2/1.12/. Additionally, network-level mitigations such as rate limiting HTTP/2 connections and restricting maximum request header sizes at a reverse proxy or load balancer can reduce exposure. SUSE has released a security update (SUSE-SU-2026:2306-1) for affected openSUSE Leap packages (SUSE Advisory, oss-security).

The vulnerability was disclosed via the oss-security mailing list by Robert Rothenberg of the CPAN Security Group on June 6, 2026, with a clear technical description and patch references (oss-security). SUSE issued a security advisory (SUSE-SU-2026:2306-1) and updated packages for openSUSE Leap shortly after disclosure (SUSE Advisory). Social media activity was limited, with brief mentions on Bluesky security feeds. Overall community reaction was measured, consistent with a moderate-severity DoS vulnerability in a niche Perl library with no active exploitation.