Description
spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count, the header count in parseHeaderValueBlock, and individual header field sizes — all read as 32-bit integers and used directly as allocation sizes with no bounds checking. Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into large attacker-controlled values. A remote peer that can send SPDY frames to a service using spdystream can exhaust process memory and cause an out-of-memory crash with a single crafted control frame. This issue has been fixed in version 0.5.1.
Published: 2026-04-16
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

spdystream is a Go library that multiplexes streams over SPDY connections. In versions 0.5.0 and earlier, the SPDY/3 frame parser reads 32‑bit counts and lengths supplied by the remote peer and uses them directly as allocation sizes, without performing bounds checking. Because SPDY header blocks are zlib‑compressed, an attacker can send a small on‑the‑wire frame that decompresses into a much larger value, causing the library to allocate excessive memory. A single crafted frame can exhaust process memory and trigger an out‑of‑memory crash. This is a resource‑exhaustion vulnerability identified as CWE‑770.

Affected Systems

The affected component is the moby:spdystream library. Versions 0.5.0 and all earlier releases contain the flaw; it has been fixed in 0.5.1. Any application or service that links against an unpatched version of spdystream is potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, while no EPSS score is available, making the exact likelihood of exploitation uncertain but not negligible. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the denial of service by sending a single malicious SPDY frame to any service that uses spdystream, such as container runtimes or other components that multiplex streams over SPDY. The resulting out‑of‑memory crash can lead to service interruption and potential cascading effects on dependent workloads.

Generated by OpenCVE AI on April 17, 2026 at 02:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the spdystream library to version 0.5.1 or later.
  • If an upgrade is not immediately possible, restrict inbound SPDY traffic to trusted hosts or networks, and monitor for anomalous frame sizes.
  • Apply process hardening such as cgroups memory limits or OOM protection to mitigate the impact of accidental memory allocation.

Generated by OpenCVE AI on April 17, 2026 at 02:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pc3f-x583-g7j2 SpdyStream: DOS on CRI
History

Fri, 17 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in the SPDY streaming code used by Kubelet, CRI-O, and kube-apiserver. An attacker with specific cluster roles, such as those allowing access to pod port forwarding, execution, or attachment, or node proxying, could exploit this vulnerability. This could lead to a Denial of Service (DoS) by causing the affected components to become unresponsive. spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count, the header count in parseHeaderValueBlock, and individual header field sizes — all read as 32-bit integers and used directly as allocation sizes with no bounds checking. Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into large attacker-controlled values. A remote peer that can send SPDY frames to a service using spdystream can exhaust process memory and cause an out-of-memory crash with a single crafted control frame. This issue has been fixed in version 0.5.1.
Title Kubelet: CRI-O: kube-apiserver: Kubelet, CRI-O, kube-apiserver: Denial of Service via SPDY streaming code SpdyStream: DOS on CRI
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Thu, 16 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Kubernetes
Kubernetes kubelet
Vendors & Products Kubernetes
Kubernetes kubelet

Thu, 16 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in the SPDY streaming code used by Kubelet, CRI-O, and kube-apiserver. An attacker with specific cluster roles, such as those allowing access to pod port forwarding, execution, or attachment, or node proxying, could exploit this vulnerability. This could lead to a Denial of Service (DoS) by causing the affected components to become unresponsive.
Title Kubelet: CRI-O: kube-apiserver: Kubelet, CRI-O, kube-apiserver: Denial of Service via SPDY streaming code
Weaknesses CWE-770
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important

Subscriptions

Kubernetes Kubelet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-17T12:37:27.329Z

Reserved: 2026-04-02T20:49:44.452Z

Link: CVE-2026-35469

cve-icon Vulnrichment

Updated: 2026-04-17T12:37:22.027Z

cve-icon NVD

Status : Deferred

Published: 2026-04-16T22:16:37.920

Modified: 2026-04-29T21:04:10.060

Link: CVE-2026-35469

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-13T23:59:59Z

Links: CVE-2026-35469 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T03:00:08Z

Weaknesses