## Security Patch: Moby/spdystream v0.5.1 Fixes Critical Memory Exhaustion Vulnerability (CVE-2026-35469)
A critical memory exhaustion vulnerability in the widely used `moby/spdystream` library has been patched, forcing a mandatory update for any service relying on SPDY/3 communication. The flaw, tracked as CVE-2026-35469, resides in the library's frame parser, which fails to validate attacker-controlled counts and lengths before allocating memory. This allows a remote peer to send a small number of maliciously crafted SPDY control frames, tricking the service into allocating gigabytes of memory and triggering a complete out-of-memory crash.

The vulnerability is a classic denial-of-service vector, where an attacker can remotely destabilize or crash any application using the affected versions of the `github.com/moby/spdystream` library. The patch, released as version v0.5.1, specifically addresses this parsing logic to enforce proper validation before memory allocation. The update moves from v0.5.0 to v0.5.1, a minor version bump that carries major security implications.

This vulnerability places immediate pressure on DevOps and security teams across the ecosystem to audit their dependency chains and apply the update. Any service exposed to untrusted networks that uses this library for SPDY streaming is at direct risk of being taken offline. The advisory underscores the persistent threat of resource exhaustion attacks in foundational networking libraries and the critical need for automated dependency monitoring to catch such security updates as they are released.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-35469, Memory Exhaustion, Denial of Service, Go Security, Dependency Update
- **Credibility**: unverified
- **Published**: 2026-04-16 21:22:54
- **ID**: 68177
- **URL**: https://whisperx.ai/en/intel/68177