How severe is CVE-2024-27919?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.5 out of 10.

What type of vulnerability is CVE-2024-27919?

This is classified as CWE-390, which is a common weakness in software security.

CVE-2024-27919 - HIGH Severity | CVSS 7.5

Vulnerability Description

Envoy is a cloud-native, open-source edge and service proxy. In versions 1.29.0 and 1.29.1, theEnvoy HTTP/2 protocol stack is vulnerable to the flood of CONTINUATION frames. Envoy's HTTP/2 codec does not reset a request when header map limits have been exceeded. This allows an attacker to send an sequence of CONTINUATION frames without the END_HEADERS bit set causing unlimited memory consumption. This can lead to denial of service through memory exhaustion. Users should upgrade to versions 1.29.2 to mitigate the effects of the CONTINUATION flood. Note that this vulnerability is a regression in Envoy version 1.29.0 and 1.29.1 only. As a workaround, downgrade to version 1.28.1 or earlier or disable HTTP/2 protocol for downstream connections.

Related Vulnerabilities

CVE-2024-49841

HIGH

CVSS:7.8(High)

Memory corruption during memory assignment to headless peripheral VM due to incorrect error code handling.

CWE-3902024

CVE-2025-26465

MEDIUM

CVSS:6.8(Medium)

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs...

CWE-3902025

CVE-2025-25204

MEDIUM

CVSS:6.3(Medium)

`gh` is GitHub’s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool `gh attestation verify` c...

CWE-3902025

CVE-2019-5051

HIGH

CVSS:8.8(High)

An exploitable heap-based buffer overflow vulnerability exists when loading a PCX file in SDL2_image, version 2.0.4. A missing error handler can lead to a buffer overflow and potential code execution....

CWE-3902019

CVE-2024-12086

MEDIUM

CVSS:6.1(Medium)

A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. Du...

CWE-3902024

CVE-2017-7485

MEDIUM

CVSS:5.9(Medium)

In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3, it was found that the PGREQUIRESSL environment variable was no longer enforcing a SSL/TLS connection...

CWE-3902017