CVE-2023-44487: MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack

Overview

Severity

N/A

Category

Denial of Service

Exploit Status

Actively Exploited

Exploitation Likelihood

Detected

Patch Tuesday

2023-Oct

Released

2023-10-10

Last Updated

2025-04-15

EPSS Score

94.38% (percentile: 100.0%)

Detection & Weaponization (1 sources)

Maturity: Exploit

• GitHub PoC: 24 repositories

Affected Products (29)

Developer Tools

• .NET 6.0
• ASP.NET Core 6.0
• .NET 7.0
• Microsoft Visual Studio 2022 version 17.2
• Microsoft Visual Studio 2022 version 17.4
• Microsoft Visual Studio 2022 version 17.6
• Microsoft Visual Studio 2022 version 17.7
• ASP.NET Core 7.0

Windows

• Windows 10 Version 1809 for 32-bit Systems
• Windows 10 Version 1809 for x64-based Systems
• Windows 10 Version 1809 for ARM64-based Systems
• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows Server 2022
• Windows Server 2022 (Server Core installation)
• Windows 11 version 21H2 for x64-based Systems
• Windows 11 version 21H2 for ARM64-based Systems
• Windows 10 Version 21H2 for 32-bit Systems
• Windows 10 Version 21H2 for ARM64-based Systems
• Windows 10 Version 21H2 for x64-based Systems
• Windows 11 Version 22H2 for ARM64-based Systems
• Windows 11 Version 22H2 for x64-based Systems
• Windows 10 Version 22H2 for x64-based Systems
• Windows 10 Version 22H2 for ARM64-based Systems
• Windows 10 Version 22H2 for 32-bit Systems
• Windows 10 Version 1607 for 32-bit Systems
• Windows 10 Version 1607 for x64-based Systems
• Windows Server 2016
• Windows Server 2016 (Server Core installation)

Security Updates (13)

• 5032874
• 5032875
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• 5031361
• 5031364
• 5031358
• 5031356
• 5031354
• 5031362
• Release Notes

Acknowledgments

Amazon, Cloudflare, and Google

Revision History

• 2023-10-10: Information published.
• 2023-10-12: In the Security Updates table, corrected Article links for ASP.NET Core 6.0 and ASP.NET Core 7.0. This is an informational change only.
• 2023-10-13: In the Workarounds section, corrected the font for the DWORD values "EnableHttp2Tls" (TLS as in Transport Layer Security) and EnableHttp2Cleartext for readability. Note that the "I" should be interpreted as "L" and not an "i".
• 2023-10-16: Updated product information in the Software Update table. This is an informational change only.
• 2024-12-10: To comprehensively address CVE-2023-44487, Microsoft released security updates on October 24, 2023 for all affected versions of .NET and Microsoft Visual Studio. Microsoft recommends that customers running any of these products install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action.
• 2025-04-15: Corrected Build Numbers in the Security Updates table. This is an informational change only.