{"id":"CVE-2018-16844","details":"nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file.","modified":"2026-04-16T06:15:34.871417254Z","published":"2018-11-07T14:29:00.837Z","related":["SUSE-SU-2019:0334-1","SUSE-SU-2019:2309-1","openSUSE-SU-2019:0195-1","openSUSE-SU-2019:2120-1"],"references":[{"type":"ADVISORY","url":"http://mailman.nginx.org/pipermail/nginx-announce/2018/000220.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/105868"},{"type":"ADVISORY","url":"https://support.apple.com/kb/HT212818"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3812-1/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4335"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2021/Sep/36"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1042038"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3680"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3681"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16844"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nginx/nginx","events":[{"introduced":"658813c43b9c930c8fad2cd04600d1aba2ef031b"},{"fixed":"79b5093854dbbae2e8a53df1b08d2ec466b124ba"},{"introduced":"3880706655d9b5aacd991bbee8613e8b00e9864e"},{"fixed":"ac071c1490a30d8acff51383c77d9b72966df6d1"}],"database_specific":{"versions":[{"introduced":"1.9.5"},{"fixed":"1.14.1"},{"introduced":"1.15.0"},{"fixed":"1.15.6"}]}}],"versions":["release-1.11.0","release-1.11.1","release-1.11.10","release-1.11.11","release-1.11.12","release-1.11.13","release-1.11.2","release-1.11.3","release-1.11.4","release-1.11.5","release-1.11.6","release-1.11.7","release-1.11.8","release-1.11.9","release-1.13.0","release-1.13.1","release-1.13.10","release-1.13.11","release-1.13.12","release-1.13.2","release-1.13.3","release-1.13.4","release-1.13.5","release-1.13.6","release-1.13.7","release-1.13.8","release-1.13.9","release-1.14.0","release-1.15.0","release-1.15.1","release-1.15.2","release-1.15.3","release-1.15.4","release-1.15.5","release-1.9.10","release-1.9.11","release-1.9.12","release-1.9.13","release-1.9.14","release-1.9.15","release-1.9.5","release-1.9.6","release-1.9.7","release-1.9.8","release-1.9.9"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.04"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.10"}]},{"events":[{"introduced":"0"},{"fixed":"13.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-16844.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}