CVE-2026-6279: HTTP/2 Rapid Reset DoS in Curve
CVE-2026-6279 is a high-severity denial-of-service vulnerability affecting Curve versions 0.4.1 and earlier. This vulnerability allows unauthenticated attackers to exploit the HTTP/2 Rapid Reset attack pattern, potentially leading to significant service disruptions. The issue has been addressed in Curve 0.5.0, which is crucial for users to upgrade to in order to mitigate risks.
Vulnerability at a Glance
- CVE ID: CVE-2026-6279
- CVSS Score: 7.5 (High)
- Attack Vector: Network
- Authentication Required: None
- Patch Status: Fixed in Curve 0.5.0
TL;DR - Curve 0.4.1 and earlier are vulnerable to unauthenticated HTTP/2 Rapid Reset DoS. - Upgrade to 0.5.0 if your service exposes HTTP/2 using Curve. - Exploitation is not confirmed in the wild from reviewed sources, but exposure is remotely reachable and low effort.
What This Vulnerability Is and Why It Matters
The root cause of CVE-2026-6279 is identified as CWE-770: Allocation of Resources Without Limits or Throttling. Attackers can exploit this vulnerability by opening and immediately resetting a large number of HTTP/2 streams, causing excessive CPU and memory consumption on the server. This results in degraded service for legitimate users, making it an operationally significant issue.
Technical Notes
The NVD description states:
“Curve versions 0.4.1 and earlier are vulnerable to an unauthenticated denial of service. The HTTP/2 Rapid Reset attack allows a remote attacker to abuse a web server by opening a large number of HTTP/2 streams and immediately resetting them.”
Who Is Affected
The affected product is Curve, specifically versions 0.4.1 and earlier. If you are utilizing Curve in your applications, it is critical to verify the version in use and upgrade to 0.5.0 to avoid potential denial-of-service attacks.
| Product | Affected Versions | Fixed Version | Impact |
|---|---|---|---|
| Curve | 0.4.1 and earlier | 0.5.0 | Unauthenticated denial of service via HTTP/2 Rapid Reset |
CVSS Score Breakdown
The 7.5 High score indicates that exploitation can occur over the network with low attack complexity, no privileges, and no user interaction. This combination makes the vulnerability particularly concerning for defenders.
| Metric | Value |
|---|---|
| Attack Vector | AV:N |
| Attack Complexity | AC:L |
| Privileges Required | PR:N |
| User Interaction | UI:N |
| Availability | A:H |
Exploitation Status and PoC Availability
Currently, CISA KEV does not list CVE-2026-6279, and there is no confirmed exploitation in the wild. However, defenders should remain vigilant as the attack pattern is well understood and could be replicated by capable attackers.
| Question | Status |
|---|---|
| Confirmed exploited in the wild? | Not confirmed from reviewed sources |
| Listed in CISA KEV? | No |
| Public PoC identified? | No explicit PoC identified |
How to Detect Attempted Exploitation
Detection of Rapid Reset attacks can be achieved through monitoring unusual patterns in HTTP/2 stream creation and resets. Key indicators include spikes in CPU usage and memory pressure, as well as high rates of stream resets.
Detection Ideas
- Log Patterns: Search logs for frequent HTTP/2 resets.
- Network Signatures: Look for high volumes of RST_STREAM frames from a single source.
- Splunk Query Example:
spl index=proxy OR index=app sourcetype=*http* ("RST_STREAM" OR "stream reset" OR "http2 reset") | bin _time span=1m | stats count by src_ip, host, _time | where count > 100 | sort - count
Mitigation and Patching
The primary mitigation strategy is to upgrade to Curve 0.5.0. If immediate upgrading is not feasible, consider implementing temporary exposure reduction measures, such as rate limiting and monitoring for suspicious connection patterns.
Upgrade Examples for Rust/Cargo Projects
If Curve is a direct dependency, use the following commands:
cargo update -p curve --precise 0.5.0
cargo build --release
References
For further reading, check the following resources: - GitHub Security Advisory - NVD Record for CVE-2026-6279 - CWE-770: Allocation of Resources Without Limits or Throttling
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.