CVE-2022-24666: 
Swift vulnerability analysis and mitigation

A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. The vulnerability affects all swift-nio-http2 versions from 1.0.0 to 1.19.1, with a fix released in version 1.19.2. The issue was discovered through automated fuzzing by oss-fuzz and was assigned CVE-2022-24666 (GitHub Advisory).

The vulnerability stems from a logical error in parsing HTTP/2 HEADERS frames that contain priority information without any other data. This parsing error leads to confusion about the frame size, resulting in a parsing error that causes an immediate process crash. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

The impact of this vulnerability is severe on service availability. When exploited, it immediately crashes the server, causing all in-flight connections to drop and requiring service restart. While the vulnerability doesn't directly compromise confidentiality or integrity, sudden process crashes may lead to violations of service invariants that could potentially result in confidentiality or integrity risks (GitHub Advisory).

The vulnerability has been fixed in version 1.19.2 by rewriting the parsing code to correctly handle the condition. As a temporary mitigation, organizations can attempt to prevent untrusted peers from communicating with the service, though this mitigation may not be available to many services (GitHub Advisory).