CVE-2026-10725: 
Linux Debian Analisi e mitigazione delle vulnerabilità

CVE-2026-10725 is an HTTP/2 Bomb (data amplification) vulnerability in the Perl module Protocol::HTTP2, affecting all versions through 1.12. The flaw allows an unauthenticated remote attacker to send a small, compressed HTTP/2 request that expands into large server memory consumption, causing denial of service. It was discovered and reported by Robert Rothenberg of the CPAN Security Group, disclosed on June 6, 2026, and assigned a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, oss-security).

The root cause is CWE-409 (Improper Handling of Highly Compressed Data / Data Amplification). Protocol::HTTP2's inbound HPACK decoder in HeaderCompression.pm materializes a full key+value copy for every indexed header reference without any running size check, and the stream_header_block_add method (introduced in version 1.12) appends every CONTINUATION frame to the per-stream buffer without bounds. Although MAX_HEADER_LIST_SIZE (default 65536 bytes) is advertised in the SETTINGS frame, it is never enforced during decoding — it is absent from both the decoder logic and the :limits export tag. The amplification factor can reportedly reach 5700x, enabling an attacker to exhaust server RAM within seconds using a crafted request (GitHub Advisory, Patch Commit, oss-security).

Successful exploitation causes uncontrolled memory exhaustion on the server running Protocol::HTTP2, leading to service crash or severe slowdown — a complete availability impact with no confidentiality or integrity consequences. Because no authentication is required and attack complexity is low, any internet-exposed Perl application using this module as an HTTP/2 server is at risk. There is no evidence of lateral movement potential, as the impact is limited to denial of service of the affected process (GitHub Advisory, Feedly).

1. Reconnaissance: Identify servers running Perl applications that use Protocol::HTTP2 versions ≤ 1.12 as an HTTP/2 endpoint, using network scanning tools or application fingerprinting.
2. Craft compressed headers: Construct an HTTP/2 request with a large number of indexed HPACK header references (e.g., referencing static or dynamic table entries repeatedly), keeping the compressed payload small but designed to expand massively upon decompression.
3. Send CONTINUATION frames: Optionally chain multiple CONTINUATION frames to the initial HEADERS frame, exploiting the unbounded stream_header_block_add buffer accumulation introduced in version 1.12.
4. Trigger memory exhaustion: The server's headers_decode method processes each indexed reference without a size check, materializing full key+value copies and accumulating them in memory — with an amplification factor up to ~5700x — until the server process exhausts RAM and crashes or becomes unresponsive (Patch Commit, oss-security).

• Network: Unusual HTTP/2 requests with a high number of HEADERS or CONTINUATION frames from a single source IP; requests with very small compressed payload sizes but triggering high server CPU/memory usage.
• Logs: Server logs showing connections that abruptly terminate or result in ENHANCE_YOUR_CALM (error code 0xB) RST_STREAM responses after patching; repeated connections from the same client with minimal data transfer.
• Process/System: Sudden spikes in memory consumption by the Perl server process correlated with incoming HTTP/2 connections; OOM killer events or process crashes in system logs (/var/log/syslog, dmesg) attributable to the Perl HTTP/2 server process.

Upgrade Protocol::HTTP2 to version 1.13 or later, which enforces the SETTINGS_MAX_HEADER_LIST_SIZE limit during HPACK decoding and terminates connections with ENHANCE_YOUR_CALM when the limit is exceeded (Patch Commit, MetaCPAN). If immediate upgrade is not possible, apply the official patch from the CPAN Security Group (CVE-2026-10725-r2.patch). Additionally, deploying a reverse proxy or WAF with HTTP/2 bomb mitigation, implementing network-level rate limiting on HTTP/2 connections, and monitoring server memory for unusual spikes are recommended compensating controls. SUSE has issued a security update (SUSE-SU-2026:2306-1) for affected distributions (SUSE Advisory).

The vulnerability was disclosed via the oss-security mailing list by Robert Rothenberg of the CPAN Security Group on June 6, 2026, referencing a broader HTTP/2 bomb attack technique publicly described on June 2, 2026 (oss-security). SUSE issued a security advisory and package update shortly after disclosure, and the issue was picked up by Linux security news outlets including LinuxSecurity.com and Pro-Linux.de. Social media posts on Bluesky noted the CVE publication. Overall community reaction was measured, consistent with a library-level DoS vulnerability with no in-the-wild exploitation.