CVE-2026-54428
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk33th percentile — higher than 33% of all known CVEs
Summary
A vulnerability in the HTTP/2 HPACK decoder in Apache HttpComponents Core (versions 5.4.2 and earlier, 5.5-beta1 and earlier) allows a remote attacker to cause a denial of service through memory exhaustion by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement applies the configured header list size limit.
Risk Assessment
The organization is at risk of a DoS attack that can render services based on Apache HttpComponents Core unavailable, leading to application downtime and potential financial losses.
Recommendation
Immediately upgrade Apache HttpComponents Core to version 5.4.3 or later (or 5.5-beta2), which includes a fix to limit header size before HTTP/2 SETTINGS acknowledgement.
Original NVD description (English source)
Allocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement causes the configured header list size limit to be applied.

