PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10725 CRUX CVE debrief

CVE-2026-10725 is a HIGH severity vulnerability in Protocol::HTTP2, a Perl module for HTTP/2 protocol implementation. The vulnerability allows for an HTTP/2 'bomb' attack, which can cause a small HTTP/2 request to expand into large server memory. This is due to the lack of a header-list size limit in the inbound HPACK path, and the unbounded appending of CONTINUATION frames to the per-stream buffer. The vulnerability has a CVSS score of 7.5 and is considered HIGH severity.

Vendor
CRUX
Product
Protocol::HTTP2
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-06
Original CVE updated
2026-06-10
Advisory published
2026-06-06
Advisory updated
2026-06-10

Who should care

Users of Protocol::HTTP2 versions before 1.13 for Perl should apply the patch to prevent potential HTTP/2 'bomb' attacks.

Technical summary

Protocol::HTTP2 versions before 1.13 for Perl is vulnerable to a HTTP/2 Bomb. The inbound HPACK path has no header-list size limit, allowing a small HTTP/2 request to expand into large server memory. The headers_decode method materialises a full key+value copy per indexed reference with no running size check, and the stream_header_block_add method appends every CONTINUATION frame to the per-stream buffer unbounded. MAX_HEADER_LIST_SIZE (default 65536) is advertised in SETTINGS but never consulted on decode.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade to Protocol::HTTP2 version 1.13 or later.
  • Apply the patch: https://github.com/vlet/p5-Protocol-HTTP2/commit/822bf22224adbd662e8d0b865eeacb2b294d16cd.patch
  • Apply the patch: https://security.metacpan.org/patches/P/Protocol-HTTP2/1.12/CVE-2026-10725-r2.patch

Evidence notes

The vulnerability was reported by [redacted] and patched by the vendor.

Official resources

CVE-2026-10725 was published on 2026-06-06T10:16:25.790Z and modified on 2026-06-10T14:56:34.787Z.