Impact
Apache Tomcat contains an improper validation of HTTP/2 request headers that allows a client to send malformed or unexpected header data. The CVE description does not specify a particular downstream effect.
Affected Systems
This issue affects every Apache Tomcat installation running any of the following release ranges: 11.0.0-M1 to 11.0.21, 10.1.0-M1 to 10.1.54, 9.0.0.M1 to 9.0.117, and 10.0.0-M1 to 10.0.27. Older, end‑of‑support releases that contain the same code base may also be susceptible.
Risk and Exploitability
The CVSS score of 9.8 indicates a critical severity, while the EPSS estimate of <1% reflects a low probability of current public exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector involves a remote client establishing an HTTP/2 connection to the Tomcat server and sending crafted header data to trigger the flaw. No publicly documented exploits exist at this time.
OpenCVE Enrichment
Debian DLA
Debian DSA
Github GHSA
Ubuntu USN