## Moby spdystream v0.5.1 Patches Critical Memory Exhaustion Vulnerability (CVE-2026-35469)
A critical security flaw in the widely used `moby/spdystream` library exposes services to remote memory exhaustion attacks. The vulnerability, tracked as CVE-2026-35469, resides in the SPDY/3 frame parser, which fails to validate attacker-controlled input before allocating memory. This allows a remote peer to send a small number of specially crafted control frames, forcing a target process to allocate gigabytes of memory and ultimately crash due to an out-of-memory condition.

The flaw specifically affects the `github.com/moby/spdystream` package, a core component for handling SPDY protocol streams in Go applications. The issue was patched in version v0.5.1, which updates from the vulnerable v0.5.0. The security advisory confirms that a malicious actor capable of sending SPDY frames to any service utilizing this library can trigger this denial-of-service attack, potentially disrupting critical backend communications and container orchestration tooling that depends on this stream handling layer.

This update is marked as a security priority. The patch enforces proper validation of frame counts and lengths prior to memory allocation, closing the attack vector. Any project or infrastructure relying on the unpatched `spdystream` v0.5.0 or earlier versions must apply this update to mitigate the risk of targeted resource exhaustion and service instability. The vulnerability highlights persistent risks in low-level network parsing libraries that underpin modern distributed systems.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-35469, memory-exhaustion, denial-of-service, Go, security-patch
- **Credibility**: unverified
- **Published**: 2026-04-17 20:22:51
- **ID**: 70008
- **URL**: https://whisperx.ai/en/intel/70008