nginx 1.9.x < 1.9.6 HTTPv2 PRI Double-Free DoS
High Nessus Plugin ID 86884
SynopsisThe remote web server is affected by a denial of service vulnerability.
DescriptionAccording to the self-reported version in its response header, the version of nginx hosted on the remote web server is 1.9.x prior to 1.9.6. It is, therefore, affected by a denial of service vulnerability due to a double-free memory error in the HTTPv2 module that is triggered when handling certain PRI packets. An unauthenticated, remote attacker can exploit this, via a crafted RPI packet, to cause a section of heap-based memory to be freed twice, which can result in crashing the server.
SolutionUpgrade to nginx version 1.9.6 or later.