CVE-2016-1544: 
CMake vulnerability analysis and mitigation

CVE-2016-1544 affects nghttp2 versions before 1.7.1, discovered and disclosed on January 7, 2016. The vulnerability impacts the nghttp2 implementation, specifically affecting nghttpd, nghttp, and libnghttp2_asio applications. This security issue allows remote attackers to cause a denial of service through memory exhaustion (NVD, GitHub Release).

The vulnerability stems from the applications' failure to limit memory usage for incoming HTTP header fields. The issue relates to HTTP/2's HPACK header compression mechanism, where header fields are stored with numeric index numbers. After storing a relatively large header field (e.g., 4KiB), an attacker can send specially crafted HEADERS/CONTINUATION frames containing multiple references to the stored header field, effectively sending large amounts of header fields to exhaust memory. The vulnerability has a CVSS v3.1 Base Score of 3.3 (Low) with the vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (NVD, GitHub Release).

When exploited, this vulnerability can cause affected applications to crash due to out of memory errors. While the libnghttp2 library itself is not affected, applications built using it (nghttpd, nghttp, and libnghttp2_asio) are vulnerable to denial of service attacks through memory exhaustion (GitHub Release, Gentoo Security).

The vulnerability was fixed in nghttp2 version 1.7.1. Users are advised to upgrade to this version or later. The fix implements limits on the memory usage for incoming HTTP header fields. No alternative workarounds are available for users unable to upgrade (GitHub Release, Gentoo Security).

The vulnerability was first reported to the nghttp2 team on February 3, 2016, by Noam Mazor. The team responded promptly by releasing version 1.7.1 on February 11, 2016, which included the fix. Various Linux distributions, including Fedora and Gentoo, subsequently released security advisories and patches for their packages (GitHub Release, Red Hat Bugzilla).