Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

References
Link Providers
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html cve-icon cve-icon
http://seclists.org/fulldisclosure/2019/Aug/16 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2745 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2746 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2775 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2799 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2925 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2939 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2946 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2950 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2955 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2966 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3932 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3933 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3935 cve-icon cve-icon
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md cve-icon cve-icon cve-icon
https://github.com/nghttp2/nghttp2/issues/1382# cve-icon
https://kb.cert.org/vuls/id/605641/ cve-icon cve-icon cve-icon
https://kc.mcafee.com/corporate/index?page=content&id=SB10296 cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/ cve-icon cve-icon
https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/ cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2019-9516 cve-icon
https://seclists.org/bugtraq/2019/Aug/24 cve-icon cve-icon
https://seclists.org/bugtraq/2019/Aug/40 cve-icon cve-icon
https://security.netapp.com/advisory/ntap-20190823-0002/ cve-icon cve-icon
https://security.netapp.com/advisory/ntap-20190823-0005/ cve-icon cve-icon
https://support.f5.com/csp/article/K02591030 cve-icon cve-icon
https://support.f5.com/csp/article/K02591030?utm_source=f5support&amp%3Butm_medium=RSS cve-icon cve-icon
https://usn.ubuntu.com/4099-1/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2019-9516 cve-icon
https://www.debian.org/security/2019/dsa-4505 cve-icon cve-icon
https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/ cve-icon
https://www.synology.com/security/advisory/Synology_SA_19_33 cve-icon cve-icon
History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.02211}

epss

{'score': 0.02271}


Tue, 14 Jan 2025 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:synology:diskstation_manager:6.2:*:*:*:*:*:*:* cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*

cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2024-08-04T21:54:44.285Z

Reserved: 2019-03-01T00:00:00

Link: CVE-2019-9516

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2019-08-13T21:15:12.583

Modified: 2025-01-14T19:29:55.853

Link: CVE-2019-9516

cve-icon Redhat

Severity : Important

Publid Date: 2019-08-13T00:00:00Z

Links: CVE-2019-9516 - Bugzilla

cve-icon OpenCVE Enrichment

No data.