Intel

AIKIDO-2026-11046

pingora is vulnerable to Resource Exhaustion

Resource Exhaustion Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 3, 2026

75

High Risk

This Affects:

RUSTpingora
0.0.1 - 0.8.0
Fixed in 0.8.1
Are you affected? Scan for Free

TL;DR

Cloudflare Pingora HTTP/2 handling is vulnerable to an HPACK indexed-reference header bomb combined with response flow-control stalling. A client can send many cheap header references and keep the server from freeing per-request allocations. Affected servers can suffer remote memory exhaustion and availability loss through HTTP/2 traffic. Version 0.8.1 bounds default HTTP/2 server limits to mitigate memory exhaustion.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and HTTP/2 is enabled.

Background info

pingora is vulnerable to Resource Exhaustion in versions 0.0.1 - 0.8.0.

How to fix this

Upgrade the pingora library to the patch version.