CVE-2023-33953

Summary

CVE-2023-33953 is a cybersecurity vulnerability affecting gRPC's hpack parser. This issue can lead to unwanted disconnections between clients and servers due to hpack table accounting errors. Three vectors for denial-of-service (DoS) attacks have been identified: an unbounded memory buffering bug and unbounded CPU consumption in the HPACK parser. The memory buffering bug allows the parser to buffer up to 4 gigabytes of data before rejecting it as too long, while the CPU consumption issue stems from a copy operation per input block in the parser that can result in an O(n^2) parsing loop. Additionally, the hpack parser must read an infinite number of 0's at the start of an integer, which can cause excessive buffering. These issues can be exploited by sending maliciously crafted headers to the gRPC server, potentially resulting in significant resource consumption or denial-of-service conditions.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.