eastbaycyber

CVE-2026-6279: HTTP/2 Rapid Reset DoS in Curve

CVE explainers 3 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2026-05-21
▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief

CVE-2026-6279 is a high-severity denial-of-service vulnerability affecting Curve versions 0.4.1 and earlier. This vulnerability allows unauthenticated attackers to exploit the HTTP/2 Rapid Reset attack pattern, potentially leading to significant service disruptions. The issue has been addressed in Curve 0.5.0, which is crucial for users to upgrade to in order to mitigate risks.

Vulnerability at a Glance

  • CVE ID: CVE-2026-6279
  • CVSS Score: 7.5 (High)
  • Attack Vector: Network
  • Authentication Required: None
  • Patch Status: Fixed in Curve 0.5.0

TL;DR - Curve 0.4.1 and earlier are vulnerable to unauthenticated HTTP/2 Rapid Reset DoS. - Upgrade to 0.5.0 if your service exposes HTTP/2 using Curve. - Exploitation is not confirmed in the wild from reviewed sources, but exposure is remotely reachable and low effort.

What This Vulnerability Is and Why It Matters

The root cause of CVE-2026-6279 is identified as CWE-770: Allocation of Resources Without Limits or Throttling. Attackers can exploit this vulnerability by opening and immediately resetting a large number of HTTP/2 streams, causing excessive CPU and memory consumption on the server. This results in degraded service for legitimate users, making it an operationally significant issue.

Technical Notes

The NVD description states:

“Curve versions 0.4.1 and earlier are vulnerable to an unauthenticated denial of service. The HTTP/2 Rapid Reset attack allows a remote attacker to abuse a web server by opening a large number of HTTP/2 streams and immediately resetting them.”

AnalystImpact · assess the risk

Who Is Affected

The affected product is Curve, specifically versions 0.4.1 and earlier. If you are utilizing Curve in your applications, it is critical to verify the version in use and upgrade to 0.5.0 to avoid potential denial-of-service attacks.

Product Affected Versions Fixed Version Impact
Curve 0.4.1 and earlier 0.5.0 Unauthenticated denial of service via HTTP/2 Rapid Reset

CVSS Score Breakdown

The 7.5 High score indicates that exploitation can occur over the network with low attack complexity, no privileges, and no user interaction. This combination makes the vulnerability particularly concerning for defenders.

Metric Value
Attack Vector AV:N
Attack Complexity AC:L
Privileges Required PR:N
User Interaction UI:N
Availability A:H

Exploitation Status and PoC Availability

Currently, CISA KEV does not list CVE-2026-6279, and there is no confirmed exploitation in the wild. However, defenders should remain vigilant as the attack pattern is well understood and could be replicated by capable attackers.

Question Status
Confirmed exploited in the wild? Not confirmed from reviewed sources
Listed in CISA KEV? No
Public PoC identified? No explicit PoC identified
ResponderRunbook · act now

How to Detect Attempted Exploitation

Detection of Rapid Reset attacks can be achieved through monitoring unusual patterns in HTTP/2 stream creation and resets. Key indicators include spikes in CPU usage and memory pressure, as well as high rates of stream resets.

Detection Ideas

  1. Log Patterns: Search logs for frequent HTTP/2 resets.
  2. Network Signatures: Look for high volumes of RST_STREAM frames from a single source.
  3. Splunk Query Example: spl index=proxy OR index=app sourcetype=*http* ("RST_STREAM" OR "stream reset" OR "http2 reset") | bin _time span=1m | stats count by src_ip, host, _time | where count > 100 | sort - count

Mitigation and Patching

The primary mitigation strategy is to upgrade to Curve 0.5.0. If immediate upgrading is not feasible, consider implementing temporary exposure reduction measures, such as rate limiting and monitoring for suspicious connection patterns.

Upgrade Examples for Rust/Cargo Projects

If Curve is a direct dependency, use the following commands:

cargo update -p curve --precise 0.5.0
cargo build --release

References

For further reading, check the following resources: - GitHub Security Advisory - NVD Record for CVE-2026-6279 - CWE-770: Allocation of Resources Without Limits or Throttling

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-05-21

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.