{"id":"CVE-2022-41556","details":"A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67.","modified":"2026-03-14T15:00:15.711616Z","published":"2022-10-06T18:17:03.620Z","related":["MGASA-2022-0369","openSUSE-SU-2022:10140-1","openSUSE-SU-2024:12382-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVOSBSCMLGCHH2Z74H64ZWVDFJFQTBC2/"},{"type":"ADVISORY","url":"https://github.com/lighttpd/lighttpd1.4/compare/lighttpd-1.4.66...lighttpd-1.4.67"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202210-12"},{"type":"REPORT","url":"https://github.com/lighttpd/lighttpd1.4/pull/115"},{"type":"FIX","url":"https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/b18de6f9264f914f7bf493abd3b6059343548e50"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lighttpd/lighttpd1.4","events":[{"introduced":"b8e011d230c206503f072cce0c176da8a938cf00"},{"fixed":"fc4cdb76479f10b2c0712f386ca5e405581ed0fc"}],"database_specific":{"versions":[{"introduced":"1.4.56"},{"fixed":"1.4.67"}]}}],"versions":["lighttpd-1.4.56","lighttpd-1.4.57","lighttpd-1.4.58","lighttpd-1.4.59","lighttpd-1.4.60","lighttpd-1.4.61","lighttpd-1.4.62","lighttpd-1.4.63","lighttpd-1.4.64","lighttpd-1.4.65","lighttpd-1.4.66"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"35"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41556.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}