CVE-2016-6581 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2016-6581 Interim 1 16 2025-11-05T04:21:42Z current 2021-08-11T00:26:57Z 2025-11-05T04:21:42Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2016-6581 A HTTP/2 implementation built using any version of the Python HPACK library between v1.0.0 and v2.2.0 could be targeted for a denial of service attack, specifically a so-called "HPACK Bomb" attack. This attack occurs when an attacker inserts a header field that is exactly the size of the HPACK dynamic header table into the dynamic header table. The attacker can then send a header block that is simply repeated requests to expand that field in the dynamic table. This can lead to a gigantic compression ratio of 4,096 or better, meaning that 16kB of data can decompress to 64MB of data on the target machine. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Module for Server Applications 15 SP2 SUSE Linux Enterprise Module for Server Applications 15 SP3 SUSE Linux Enterprise Module for Python 3 15 SP6 SUSE Linux Enterprise Module for Server Applications 15 SP2 SUSE Linux Enterprise Module for Server Applications 15 SP3 SUSE Linux Enterprise Module for Server Applications 15 SP4 SUSE Linux Enterprise Module for Python 3 15 SP6 SUSE Linux Enterprise Module for Server Applications 15 SP7 SUSE Linux Enterprise Module for Server Applications 15 SP2 SUSE Linux Enterprise Module for Server Applications 15 SP3 SUSE Linux Enterprise Module for Server Applications 15 SP4 SUSE Linux Enterprise Module for Python 3 15 SP6 SUSE Linux Enterprise Module for Server Applications 15 SP7 SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Module for Server Applications 15 SP2 SUSE Linux Enterprise Module for Server Applications 15 SP3 SUSE Linux Enterprise Module for Server Applications 15 SP4 SUSE Linux Enterprise Module for Python 3 15 SP6 SUSE Linux Enterprise Module for Server Applications 15 SP7 SUSE Linux Enterprise Module for Server Applications 15 SP2 SUSE Linux Enterprise Module for Server Applications 15 SP3 SUSE Linux Enterprise Module for Server Applications 15 SP4 SUSE Linux Enterprise Module for Server Applications 15 SP2 SUSE Linux Enterprise Module for Server Applications 15 SP3 SUSE Linux Enterprise Module for Server Applications 15 SP4 SUSE Linux Enterprise Module for Server Applications 15 SP2 SUSE Linux Enterprise Module for Server Applications 15 SP3 SUSE Linux Enterprise Module for Server Applications 15 SP4 openSUSE Tumbleweed python-hpack python3-hpack python3-hpack-3.0.0-3.2.1 python310-hpack-4.0.0-2.7 python311-hpack-4.0.0-150400.8.3.9 python311-hpack-4.0.0-2.7 python312-hpack-4.0.0-2.7 python313-hpack-4.1.0-160000.2.2 python36-hpack-4.0.0-1.6 python38-hpack-4.0.0-1.6 python39-hpack-4.0.0-1.6 python311-hpack-4.0.0-150400.8.3.9 as a component of SUSE Linux Enterprise Module for Python 3 15 SP6 python3-hpack-3.0.0-3.2.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP3 python3-hpack-3.0.0-3.2.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP4 python3-hpack-3.0.0-3.2.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP7 python313-hpack-4.1.0-160000.2.2 as a component of SUSE Linux Enterprise Server 16.0 python310-hpack-4.0.0-2.7 as a component of openSUSE Tumbleweed python311-hpack-4.0.0-2.7 as a component of openSUSE Tumbleweed python312-hpack-4.0.0-2.7 as a component of openSUSE Tumbleweed python36-hpack-4.0.0-1.6 as a component of openSUSE Tumbleweed python38-hpack-4.0.0-1.6 as a component of openSUSE Tumbleweed python39-hpack-4.0.0-1.6 as a component of openSUSE Tumbleweed python3-hpack as a component of SUSE Linux Enterprise Module for Server Applications 15 SP2 python-hpack as a component of SUSE Linux Enterprise Module for Server Applications 15 SP2 A HTTP/2 implementation built using any version of the Python HPACK library between v1.0.0 and v2.2.0 could be targeted for a denial of service attack, specifically a so-called "HPACK Bomb" attack. This attack occurs when an attacker inserts a header field that is exactly the size of the HPACK dynamic header table into the dynamic header table. The attacker can then send a header block that is simply repeated requests to expand that field in the dynamic table. This can lead to a gigantic compression ratio of 4,096 or better, meaning that 16kB of data can decompress to 64MB of data on the target machine. CVE-2016-6581 SUSE Linux Enterprise Module for Python 3 15 SP6:python311-hpack-4.0.0-150400.8.3.9 SUSE Linux Enterprise Module for Server Applications 15 SP3:python3-hpack-3.0.0-3.2.1 SUSE Linux Enterprise Module for Server Applications 15 SP4:python3-hpack-3.0.0-3.2.1 SUSE Linux Enterprise Module for Server Applications 15 SP7:python3-hpack-3.0.0-3.2.1 SUSE Linux Enterprise Server 16.0:python313-hpack-4.1.0-160000.2.2 openSUSE Tumbleweed:python310-hpack-4.0.0-2.7 openSUSE Tumbleweed:python311-hpack-4.0.0-2.7 openSUSE Tumbleweed:python312-hpack-4.0.0-2.7 openSUSE Tumbleweed:python36-hpack-4.0.0-1.6 openSUSE Tumbleweed:python38-hpack-4.0.0-1.6 openSUSE Tumbleweed:python39-hpack-4.0.0-1.6 SUSE Linux Enterprise Module for Server Applications 15 SP2:python-hpack SUSE Linux Enterprise Module for Server Applications 15 SP2:python3-hpack important 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H