{"api_version":"1","generated_at":"2026-04-22T21:37:45+00:00","cve":"CVE-2018-1000168","urls":{"html":"https://cve.report/CVE-2018-1000168","api":"https://cve.report/api/cve/CVE-2018-1000168.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-1000168","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000168"},"summary":{"title":"CVE-2018-1000168","description":"nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2018-05-08 15:29:00","updated_at":"2022-08-16 13:01:00"},"problem_types":["CWE-20","CWE-476"],"metrics":[],"references":[{"url":"https://access.redhat.com/errata/RHSA-2019:0366","name":"RHSA-2019:0366","refsource":"REDHAT","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2019:0367","name":"RHSA-2019:0367","refsource":"REDHAT","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/103952","name":"103952","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"nghttp2 CVE-2018-1000168 Remote Denial of Service Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/","name":"https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"June 2018 Security Releases | Node.js","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/","name":"https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Nghttp2 v1.31.1 - nghttp2.org","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2021/10/msg00011.html","name":"[debian-lts-announce] 20211017 [SECURITY] [DLA 2786-1] nghttp2 security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2786-1] nghttp2 security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-1000168","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000168","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"1000168","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1000168","vulnerable":"1","versionEndIncluding":"1.31.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nghttp2","cpe5":"nghttp2","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1000168","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1000168","vulnerable":"1","versionEndIncluding":"10.15.2","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1000168","vulnerable":"1","versionEndIncluding":"6.8.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1000168","vulnerable":"1","versionEndIncluding":"8.15.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1000168","vulnerable":"1","versionEndIncluding":"8.17.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1000168","vulnerable":"1","versionEndIncluding":"9.11.2","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2018-1000168","qid":"174904","title":"SUSE Enterprise Linux Security Update for nghttp2 (SUSE-SU-2021:0932-1)"},{"cve":"CVE-2018-1000168","qid":"178839","title":"Debian Security Update for nghttp2 (DLA 2786-1)"},{"cve":"CVE-2018-1000168","qid":"500449","title":"Alpine Linux Security Update for nodejs"},{"cve":"CVE-2018-1000168","qid":"504215","title":"Alpine Linux Security Update for nodejs"},{"cve":"CVE-2018-1000168","qid":"900064","title":"CBL-Mariner Linux Security Update for nodejs 8.11.4"},{"cve":"CVE-2018-1000168","qid":"902895","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs (4289)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","DATE_ASSIGNED":"2018-04-30T20:15:49.358836","DATE_REQUESTED":"2018-04-09T10:52:35","ID":"CVE-2018-1000168","REQUESTER":"tatsuhiro.t@gmail.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"RHSA-2019:0367","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2019:0367"},{"name":"https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/","refsource":"CONFIRM","url":"https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/"},{"name":"103952","refsource":"BID","url":"http://www.securityfocus.com/bid/103952"},{"name":"https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/","refsource":"CONFIRM","url":"https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/"},{"name":"RHSA-2019:0366","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2019:0366"},{"refsource":"MLIST","name":"[debian-lts-announce] 20211017 [SECURITY] [DLA 2786-1] nghttp2 security update","url":"https://lists.debian.org/debian-lts-announce/2021/10/msg00011.html"}]}},"nvd":{"publishedDate":"2018-05-08 15:29:00","lastModifiedDate":"2022-08-16 13:01:00","problem_types":["CWE-20","CWE-476"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:N/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nghttp2:nghttp2:*:*:*:*:*:*:*:*","versionStartIncluding":"1.10.0","versionEndIncluding":"1.31.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*","versionStartIncluding":"9.0.0","versionEndIncluding":"9.11.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*","versionStartIncluding":"6.0.0","versionEndIncluding":"6.8.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*","versionStartIncluding":"10.0.0","versionEndExcluding":"10.4.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*","versionStartIncluding":"8.4.0","versionEndIncluding":"8.17.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"1000168","Ordinal":"126333","Title":"CVE-2018-1000168","CVE":"CVE-2018-1000168","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"1000168","Ordinal":"1","NoteData":"nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"1000168","Ordinal":"2","NoteData":"2018-05-08","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"1000168","Ordinal":"3","NoteData":"2021-10-17","Type":"Other","Title":"Modified"}]}}}