{"id":"UBUNTU-CVE-2019-9515","details":"Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.","modified":"2026-05-20T16:04:04.378492606Z","published":"2019-08-13T00:00:00Z","related":["USN-4308-1","USN-4866-1"],"upstream":["CVE-2019-9515"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-9515"},{"type":"REPORT","url":"https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"},{"type":"REPORT","url":"https://netty.io/news/2019/08/13/4-1-39-Final.html"},{"type":"REPORT","url":"http://blog.kazuhooku.com/2019/08/h2o-version-226-230-beta2-released.html"},{"type":"REPORT","url":"https://github.com/netty/netty/pull/9460"},{"type":"REPORT","url":"https://labs.twistedmatrix.com/2019/11/twisted-19100-released.html"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-4308-1"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-4866-1"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2019-9515"}],"affected":[{"package":{"name":"golang-google-grpc","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/golang-google-grpc?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.0~git20150514.0.f5ebd86-1","0.0~git20150514.0.f5ebd86-2","0.0~git20151002.0.3e7b7e5-1"],"ecosystem_specific":{"binaries":[{"binary_name":"golang-google-grpc-dev","binary_version":"0.0~git20151002.0.3e7b7e5-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-9515.json"}},{"package":{"name":"grpc","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/grpc?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.10.2-1","0.11.1-1"],"ecosystem_specific":{"binaries":[{"binary_name":"libgrpc0","binary_version":"0.11.1-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-9515.json"}},{"package":{"name":"trafficserver","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/trafficserver?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["5.3.0-2ubuntu1","5.3.0-2ubuntu2"],"ecosystem_specific":{"binaries":[{"binary_name":"trafficserver","binary_version":"5.3.0-2ubuntu2"},{"binary_name":"trafficserver-experimental-plugins","binary_version":"5.3.0-2ubuntu2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-9515.json"}},{"package":{"name":"twisted","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/twisted?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"17.9.0-2ubuntu0.1"}]}],"versions":["16.6.0-2ubuntu3","17.9.0-1","17.9.0-2"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"python-twisted","binary_version":"17.9.0-2ubuntu0.1"},{"binary_name":"python-twisted-bin","binary_version":"17.9.0-2ubuntu0.1"},{"binary_name":"python-twisted-conch","binary_version":"1:17.9.0-2ubuntu0.1"},{"binary_name":"python-twisted-core","binary_version":"17.9.0-2ubuntu0.1"},{"binary_name":"python-twisted-mail","binary_version":"17.9.0-2ubuntu0.1"},{"binary_name":"python-twisted-names","binary_version":"17.9.0-2ubuntu0.1"},{"binary_name":"python-twisted-news","binary_version":"17.9.0-2ubuntu0.1"},{"binary_name":"python-twisted-runner","binary_version":"17.9.0-2ubuntu0.1"},{"binary_name":"python-twisted-web","binary_version":"17.9.0-2ubuntu0.1"},{"binary_name":"python-twisted-words","binary_version":"17.9.0-2ubuntu0.1"},{"binary_name":"python3-twisted","binary_version":"17.9.0-2ubuntu0.1"},{"binary_name":"python3-twisted-bin","binary_version":"17.9.0-2ubuntu0.1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-9515.json"}},{"package":{"name":"golang-google-grpc","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/golang-google-grpc?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.0.4-1","1.6.0-2","1.6.0-3","1.6.0-3ubuntu0.18.04.1"],"ecosystem_specific":{"binaries":[{"binary_name":"golang-google-grpc-dev","binary_version":"1.6.0-3ubuntu0.18.04.1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-9515.json"}},{"package":{"name":"grpc","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/grpc?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.3.2-1","1.3.2-1ubuntu1","1.3.2-1.1~build1"],"ecosystem_specific":{"binaries":[{"binary_name":"libgrpc++1","binary_version":"1.3.2-1.1~build1"},{"binary_name":"libgrpc3","binary_version":"1.3.2-1.1~build1"},{"binary_name":"protobuf-compiler-grpc","binary_version":"1.3.2-1.1~build1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-9515.json"}},{"package":{"name":"h2o","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/h2o?arch=source&distro=esm-apps%2Fbionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.2.3+dfsg-2","2.2.4+dfsg-1","2.2.4+dfsg-1build1","2.2.4+dfsg-1ubuntu0.1~esm2"],"ecosystem_specific":{"binaries":[{"binary_name":"h2o","binary_version":"2.2.4+dfsg-1ubuntu0.1~esm2"},{"binary_name":"libh2o-dev-common","binary_version":"2.2.4+dfsg-1ubuntu0.1~esm2"},{"binary_name":"libh2o-evloop0.13","binary_version":"2.2.4+dfsg-1ubuntu0.1~esm2"},{"binary_name":"libh2o0.13","binary_version":"2.2.4+dfsg-1ubuntu0.1~esm2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-9515.json"}},{"package":{"name":"netty","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/netty?arch=source&distro=esm-apps%2Fbionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:4.1.7-4ubuntu0.1+esm1"}]}],"versions":["1:4.1.7-4","1:4.1.7-4ubuntu0.1~esm1","1:4.1.7-4ubuntu0.1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_name":"libnetty-java","binary_version":"1:4.1.7-4ubuntu0.1+esm1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-9515.json"}},{"package":{"name":"trafficserver","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/trafficserver?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["7.0.0-5","7.1.2+ds-2","7.1.2+ds-2build1","7.1.2+ds-3"],"ecosystem_specific":{"binaries":[{"binary_name":"trafficserver","binary_version":"7.1.2+ds-3"},{"binary_name":"trafficserver-experimental-plugins","binary_version":"7.1.2+ds-3"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-9515.json"}},{"package":{"name":"twisted","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/twisted?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"18.9.0-6ubuntu1"}]}],"versions":["18.9.0-3ubuntu1","18.9.0-5","18.9.0-6","18.9.0-6build1"],"ecosystem_specific":{"binaries":[{"binary_name":"python-twisted","binary_version":"18.9.0-6ubuntu1"},{"binary_name":"python-twisted-bin","binary_version":"18.9.0-6ubuntu1"},{"binary_name":"python-twisted-conch","binary_version":"1:18.9.0-6ubuntu1"},{"binary_name":"python-twisted-core","binary_version":"18.9.0-6ubuntu1"},{"binary_name":"python-twisted-mail","binary_version":"18.9.0-6ubuntu1"},{"binary_name":"python-twisted-names","binary_version":"18.9.0-6ubuntu1"},{"binary_name":"python-twisted-news","binary_version":"18.9.0-6ubuntu1"},{"binary_name":"python-twisted-runner","binary_version":"18.9.0-6ubuntu1"},{"binary_name":"python-twisted-web","binary_version":"18.9.0-6ubuntu1"},{"binary_name":"python-twisted-words","binary_version":"18.9.0-6ubuntu1"},{"binary_name":"python3-twisted","binary_version":"18.9.0-6ubuntu1"},{"binary_name":"python3-twisted-bin","binary_version":"18.9.0-6ubuntu1"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-9515.json"}},{"package":{"name":"golang-google-grpc","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/golang-google-grpc?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.22.1-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"golang-google-grpc-dev","binary_version":"1.22.1-1ubuntu1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-9515.json"}},{"package":{"name":"grpc","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/grpc?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.16.1-1","1.16.1-1ubuntu1","1.16.1-1ubuntu3","1.16.1-1ubuntu4","1.16.1-1ubuntu5"],"ecosystem_specific":{"binaries":[{"binary_name":"libgrpc++1","binary_version":"1.16.1-1ubuntu5"},{"binary_name":"libgrpc6","binary_version":"1.16.1-1ubuntu5"},{"binary_name":"protobuf-compiler-grpc","binary_version":"1.16.1-1ubuntu5"},{"binary_name":"python3-grpcio","binary_version":"1.16.1-1ubuntu5"},{"binary_name":"ruby-grpc","binary_version":"1.16.1-1ubuntu5"},{"binary_name":"ruby-grpc-tools","binary_version":"1.16.1-1ubuntu5"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-9515.json"}},{"package":{"name":"golang-google-grpc","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/golang-google-grpc?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.29.1-0ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"golang-google-grpc-dev","binary_version":"1.29.1-0ubuntu1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-9515.json"}},{"package":{"name":"grpc","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/grpc?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.30.2-3","1.30.2-3build1","1.30.2-3build3","1.30.2-3build5","1.30.2-3build6"],"ecosystem_specific":{"binaries":[{"binary_name":"libgrpc++1","binary_version":"1.30.2-3build6"},{"binary_name":"libgrpc10","binary_version":"1.30.2-3build6"},{"binary_name":"protobuf-compiler-grpc","binary_version":"1.30.2-3build6"},{"binary_name":"python3-grpcio","binary_version":"1.30.2-3build6"},{"binary_name":"ruby-grpc","binary_version":"1.30.2-3build6"},{"binary_name":"ruby-grpc-tools","binary_version":"1.30.2-3build6"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-9515.json"}},{"package":{"name":"grpc","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/grpc?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.51.1-3build3","1.51.1-3build4","1.51.1-4","1.51.1-4build1","1.51.1-4build2","1.51.1-4.1build3","1.51.1-4.1build4","1.51.1-4.1build5"],"ecosystem_specific":{"binaries":[{"binary_name":"libgrpc++1.51t64","binary_version":"1.51.1-4.1build5"},{"binary_name":"libgrpc29t64","binary_version":"1.51.1-4.1build5"},{"binary_name":"protobuf-compiler-grpc","binary_version":"1.51.1-4.1build5"},{"binary_name":"python3-grpcio","binary_version":"1.51.1-4.1build5"},{"binary_name":"ruby-grpc","binary_version":"1.51.1-4.1build5"},{"binary_name":"ruby-grpc-tools","binary_version":"1.51.1-4.1build5"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-9515.json"}},{"package":{"name":"golang-google-grpc","ecosystem":"Ubuntu:Pro:24.04:LTS","purl":"pkg:deb/ubuntu/golang-google-grpc?arch=source&distro=esm-apps%2Fnoble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.38.0+really1.33.3-1build1","1.38.0+really1.33.3-1ubuntu0.24.04.1","1.38.0+really1.33.3-1ubuntu0.24.04.2","1.38.0+really1.33.3-1ubuntu0.24.04.2+esm1","1.38.0+really1.33.3-1ubuntu0.24.04.3","1.38.0+really1.33.3-1ubuntu0.24.04.3+esm1","1.38.0+really1.33.3-1ubuntu0.24.04.3+esm2"],"ecosystem_specific":{"binaries":[{"binary_name":"golang-google-grpc-dev","binary_version":"1.38.0+really1.33.3-1ubuntu0.24.04.3+esm2"},{"binary_name":"protoc-gen-go-grpc","binary_version":"1.38.0+really1.33.3-1ubuntu0.24.04.3+esm2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-9515.json"}},{"package":{"name":"golang-google-grpc","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/golang-google-grpc?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.64.0-6","1.64.0-7"],"ecosystem_specific":{"binaries":[{"binary_name":"golang-google-grpc-dev","binary_version":"1.64.0-7"},{"binary_name":"protoc-gen-go-grpc","binary_version":"1.64.0-7"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-9515.json"}},{"package":{"name":"grpc","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/grpc?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.51.1-6","1.51.1-6build1"],"ecosystem_specific":{"binaries":[{"binary_name":"libgrpc++1.51t64","binary_version":"1.51.1-6build1"},{"binary_name":"libgrpc29t64","binary_version":"1.51.1-6build1"},{"binary_name":"protobuf-compiler-grpc","binary_version":"1.51.1-6build1"},{"binary_name":"python3-grpcio","binary_version":"1.51.1-6build1"},{"binary_name":"ruby-grpc","binary_version":"1.51.1-6build1"},{"binary_name":"ruby-grpc-tools","binary_version":"1.51.1-6build1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-9515.json"}},{"package":{"name":"golang-google-grpc","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/golang-google-grpc?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.64.0-7","1.66.3-2"],"ecosystem_specific":{"binaries":[{"binary_name":"golang-google-grpc-dev","binary_version":"1.66.3-2"},{"binary_name":"protoc-gen-go-grpc","binary_version":"1.66.3-2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-9515.json"}},{"package":{"name":"grpc","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/grpc?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.51.1-6build1","1.51.1-7","1.51.1-7ubuntu2","1.51.1-7ubuntu3","1.51.1-8ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"libgrpc++1.51t64","binary_version":"1.51.1-8ubuntu1"},{"binary_name":"libgrpc29t64","binary_version":"1.51.1-8ubuntu1"},{"binary_name":"protobuf-compiler-grpc","binary_version":"1.51.1-8ubuntu1"},{"binary_name":"python3-grpcio","binary_version":"1.51.1-8ubuntu1"},{"binary_name":"ruby-grpc","binary_version":"1.51.1-8ubuntu1"},{"binary_name":"ruby-grpc-tools","binary_version":"1.51.1-8ubuntu1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-9515.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]}