CVE-2026-35469
CVE Details
Visit the official vulnerability details page for CVE-2026-35469 to learn more.
Initial Publication
04/16/2026
Last Update
04/17/2026
Third Party Dependency
github.com/moby/spdystream
NIST CVE Summary
spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count, the header count in parseHeaderValueBlock, and individual header field sizes — all read as 32-bit integers and used directly as allocation sizes with no bounds checking. Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into large attacker-controlled values. A remote peer that can send SPDY frames to a service using spdystream can exhaust process memory and cause an out-of-memory crash with a single crafted control frame. This issue has been fixed in version 0.5.1.
CVE Severity
Our Official Summary
Investigation is ongoing to determine how this vulnerability affects our products.
Status
Awaiting Analysis
Affected Products & Versions
| Version | PaletteAI | PaletteAI VerteX |
|---|---|---|
| 1.1.0-rc.1 | ⚠️ Impacted | ⚠️ Impacted |
| 1.0.7 | ⚠️ Impacted | ⚠️ Impacted |
Revision History
No revisions available.