How is CVE-2026-10725 exploited?

Network reachability (required): The attacker must reach the HTTP/2 service over the network; no local or physical access is required. Authentication (not-required): No credentials or account are needed; the malicious request can be sent by any unauthenticated client. Victim interaction (not-required): No user action is required; the server processes the incoming request automatically. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions or special environmental factors are needed to trigger the unbounded memory expansion.

What is the impact of CVE-2026-10725?

The targeted service exhausts available server memory as the HPACK decoder materialises unbounded copies of header key-value pairs from a single small request. Unbounded CONTINUATION frame accumulation per stream compounds the memory growth, accelerating resource exhaustion under repeated or pipelined requests. The affected process crashes or becomes unresponsive, taking down any HTTP/2 endpoints served by the application. No confidentiality or data integrity impact is present; the sole impact is availability loss of the affected service.

Back to search

HIGHCVE-2026-10725Published 2026-06-06Modified 2026-06-09CNA CPANSec

CVE-2026-10725: Protocol::HTTP2 versions before 1.13 for Perl is vulnerable to a HTTP/2 Bomb

Protocol::HTTP2 versions before 1.13 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory (the "HTTP/2 bomb"). The headers_decode method materialises a full key+value copy per indexed reference with no running size check, and the stream_header_block_add method appends (since version 1.12) every CONTINUATION frame to the per-stream buffer unbounded. MAX_HEADER_LIST_SIZE (default 65536) is advertised in SETTINGS but never consulted on decode. It is absent from the decoder and from the :limits export tag.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 1.13
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a denial-of-service vulnerability (HTTP/2 bomb) in the Perl module Protocol::HTTP2 before version 1.13. A remote attacker with no authentication can send a small, specially crafted HTTP/2 request that expands into a large amount of server memory during HPACK header decompression, because the library advertises a MAX_HEADER_LIST_SIZE limit in SETTINGS but never enforces it during decoding and appends CONTINUATION frames to a per-stream buffer without any size check. Successful exploitation exhausts server memory and crashes or hangs the affected service. A patched-image rebuild at version 1.13 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-10725 is available across every HarborGuard environment. The CVE is ingested from upstream feeds (including CPANSec) within minutes of publication and matched against customer images in registries and CI pipelines, including custom-built images that bundle the Protocol::HTTP2 Perl module.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH using the CVSS v3.1 vector and can weight that score against each customer environment's compliance policy to reflect actual exposure. Triage findings are routed to the team inbox or ticket queue configured for each customer organization.

Available

Patch

A patched-image rebuild at Protocol::HTTP2 version 1.13 is available on HarborGuard for any image found to contain an affected version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the HTTP/2 service over the network; no local or physical access is required.
AuthenticationNot required
No credentials or account are needed; the malicious request can be sent by any unauthenticated client.
Victim interactionNot required
No user action is required; the server processes the incoming request automatically.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions or special environmental factors are needed to trigger the unbounded memory expansion.

Blast Radius

The targeted service exhausts available server memory as the HPACK decoder materialises unbounded copies of header key-value pairs from a single small request.
Unbounded CONTINUATION frame accumulation per stream compounds the memory growth, accelerating resource exhaustion under repeated or pipelined requests.
The affected process crashes or becomes unresponsive, taking down any HTTP/2 endpoints served by the application.
No confidentiality or data integrity impact is present; the sole impact is availability loss of the affected service.

How HarborGuard Handles This

Available on HarborGuard: any image containing Protocol::HTTP2 versions before 1.13 is flagged automatically within minutes of the CVE entering the feed. Where compliance policy permits, a rebuilt image pinned to version 1.13 is made available, and customers with auto-remediation enabled receive a rebuilt image, a regression-test run, and a pull request opened against affected workloads. For high-severity CVEs like this one, the median time from CVE publication to a merged patch PR is around 90 minutes for environments with auto-remediation enabled. As a compensating control until the patched image is deployed, network policy can be used to restrict which clients are permitted to open HTTP/2 connections to affected services, reducing the pool of potential sources for a bomb request.

See how HarborGuard automates this

Fix available

1.13

Patch commits

Affected packages

CRUX / Protocol::HTTP2
< 1.13 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available