Bug 2428732 (CVE-2026-22776)

Summary: CVE-2026-22776 cpp-httplib: cpp-httplib: Denial of Service due to excessive memory usage from compressed HTTP request bodies
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in cpp-httplib, a C++ HTTP/HTTPS library. A remote attacker can exploit this vulnerability by sending a specially crafted compressed HTTP request. While the library checks the size of the compressed data, it does not properly limit the size of the data after decompression, leading to excessive memory consumption. This can result in a Denial of Service (DoS), making the affected system unavailable.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2428891, 2428892, 2428890, 2428893, 2428894    
Bug Blocks:    

Description OSIDB Bzimport 2026-01-12 19:02:16 UTC 
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory.