2428732 – (CVE-2026-22776) CVE-2026-22776 cpp-httplib: cpp-httplib: Denial of Service due to excessive memory usage from compressed HTTP request bodies

Bug 2428732 (CVE-2026-22776) - CVE-2026-22776 cpp-httplib: cpp-httplib: Denial of Service due to excessive memory usage from compressed HTTP request bodies

Summary: CVE-2026-22776 cpp-httplib: cpp-httplib: Denial of Service due to excessive m...

Keywords:
Status:	NEW
Alias:	CVE-2026-22776
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2428891 2428892 2428890 2428893 2428894
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-12 19:02 UTC by OSIDB Bzimport
Modified:	2026-01-13 10:33 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-12 19:02:16 UTC

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory.

Note You need to log in before you can comment on or make changes to this bug.