LiveActive security incident?Get immediate response
CVE Record

CVE-2026-35469: SpdyStream: DOS on CRI

spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count, the header count in parseHeaderValueBlock, and individual header field sizes — all read as 32-bit integers and used directly as allocation sizes with no bounds checking. Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into large attacker-controlled values. A remote peer that can send SPDY frames to a service using spdystream can exhaust process memory and cause an out-of-memory crash with a single crafted control frame. This issue has been fixed in version 0.5.1.

HighCVSS 8.7Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

CVE-2026-35469 is a denial-of-service flaw in moby spdystream before 0.5.1. A remote peer able to send SPDY frames to an affected service may crash the process by forcing excessive memory allocation. The issue affects availability, not confidentiality or integrity, based on the supplied record.

Executive priority

Treat as high priority for systems exposing affected SPDY-based control paths. The business risk is service outage from remote memory exhaustion, especially in infrastructure components where process crashes can disrupt container or platform operations.

Technical view

The SPDY/3 frame parser fails to bound attacker-controlled 32-bit counts and lengths before allocation. Affected paths include SETTINGS entry count, header count, and individual header field sizes. Compressed header blocks can carry small wire data that expands into large allocation requests, causing out-of-memory termination. Version 0.5.1 fixes this.

Likely exposure

Exposure is limited to services or downstream products using moby/spdystream below 0.5.1 where an untrusted remote peer can send SPDY frames. The bundle lists Red Hat advisories, so downstream package status should be verified through vendor guidance.

Exploitation context

The source bundle does not show CISA KEV listing or confirmed active exploitation. It does state network, low-complexity, unauthenticated availability impact, with a single crafted control frame potentially causing process memory exhaustion.

Researcher notes

Focus review on reachability of spdystream frame parsing from untrusted peers and dependency lineage. The advisory identifies three unbounded allocation paths and a fixed release, but the bundle does not provide detailed downstream affected-product mapping beyond listed vendor references.

Mitigation direction

  • Upgrade moby/spdystream to 0.5.1 or later where directly vendored.
  • Check downstream vendor advisories, including listed Red Hat errata, before assuming fixed status.
  • Restrict untrusted peers from reaching SPDY endpoints using vulnerable spdystream versions.
  • Monitor process memory and crash loops until affected components are upgraded.

Validation and detection

  • Inventory Go modules and vendor trees for moby/spdystream versions below 0.5.1.
  • Review SBOMs and container images for transitive inclusion of vulnerable spdystream.
  • Confirm deployed downstream packages map to fixed vendor errata.
  • Validate service availability controls without reproducing weaponized crash payloads.
Prepared
Confidence
high
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-770: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-35469 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
8.7 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

2CVSS vectors
5Timeline events
2ADP providers
43Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: partial

CVSS vector scores

2 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
8.7CVSS 4.0HighCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NGitHub_M
6.5CVSS 3.1MediumCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H2.83.6redhat-SADP

Vulnerability scoring details

Base CVSS 4.0 score

8.7High
CVSS 4.0 vector shape for CVE-2026-35469Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. ADP timelineredhat-SADP

    Reported to Red Hat.

  3. ADP timelineredhat-SADP

    Made public.

  4. CVE publishedCVE Program

    The CVE record was published.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
redhat-SADPKubelet: CRI-O: kube-apiserver: Kubelet, CRI-O, kube-apiserver: Denial of Service via SPDY streaming code
other:Red Hat severity ratingcvssV3_1
  • 2026-04-13T03:52:35.000Z: Reported to Red Hat.
  • 2026-04-13T23:59:59.000Z: Made public.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
mobyspdystream< 0.5.1Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.