{"id":"CVE-2016-6580","details":"A HTTP/2 implementation built using any version of the Python priority library prior to version 1.2.0 could be targeted by a malicious peer by having that peer assign priority information for every possible HTTP/2 stream ID. The priority tree would happily continue to store the priority information for each stream, and would therefore allocate unbounded amounts of memory. Attempting to actually use a tree like this would also cause extremely high CPU usage to maintain the tree.","aliases":["GHSA-h3q4-6j7f-r24c","PYSEC-2017-93"],"modified":"2026-04-10T03:52:41.796733Z","published":"2017-01-10T15:59:00.377Z","references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/92311"},{"type":"ADVISORY","url":"https://python-hyper.org/priority/en/latest/security/CVE-2016-6580.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/python-hyper/priority","events":[{"introduced":"0"},{"last_affected":"fbdf9c1e3faa5b7148b2dcfae259c556bd29bdbc"},{"introduced":"0"},{"last_affected":"58feaac48e7ea8019c1a9d8b5c9a3382dfeb493d"},{"introduced":"0"},{"last_affected":"adec8eabc3587eb2c1b096bbddb902569d80eef7"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.0.0"},{"introduced":"0"},{"last_affected":"1.1.0"},{"introduced":"0"},{"last_affected":"1.1.1"}]}}],"versions":["v1.0.0","v1.1.0","v1.1.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-6580.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}