Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-646q-3hwv-dfdh
Vulnerability ID VCID-646q-3hwv-dfdh
Aliases CVE-2023-33953
GHSA-496j-2rq6-j6cc
Summary Excessive Iteration in gRPC gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse. - gRPC’s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc…
Status Published
Exploitability 0.5
Weighted Severity 6.8
Risk 3.4
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-770 Allocation of Resources Without Limits or Throttling
CWE-789 Memory Allocation with Excessive Size Value
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-834 Excessive Iteration
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-33953.json
epss 0.00116 https://api.first.org/data/v1/epss?cve=CVE-2023-33953
cvssv3.1 7.5 https://cloud.google.com/support/bulletins#gcp-2023-022
generic_textual HIGH https://cloud.google.com/support/bulletins#gcp-2023-022
ssvc Track https://cloud.google.com/support/bulletins#gcp-2023-022
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3 7.5 https://github.com/advisories/GHSA-496j-2rq6-j6cc
cvssv3.1 7.5 https://github.com/advisories/GHSA-496j-2rq6-j6cc
generic_textual HIGH https://github.com/advisories/GHSA-496j-2rq6-j6cc
cvssv3.1 7.5 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/grpc/CVE-2023-33953.yml
generic_textual HIGH https://github.com/rubysec/ruby-advisory-db/blob/master/gems/grpc/CVE-2023-33953.yml
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2023-33953
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2023-33953
cvssv3.1 7.5 https://security.snyk.io/vuln/SNYK-RUBY-GRPC-5834442
generic_textual HIGH https://security.snyk.io/vuln/SNYK-RUBY-GRPC-5834442
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-33953.json
https://api.first.org/data/v1/epss?cve=CVE-2023-33953
https://cloud.google.com/support/bulletins#gcp-2023-022
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://security.snyk.io/vuln/SNYK-RUBY-GRPC-5834442
1059279 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059279
2230890 https://bugzilla.redhat.com/show_bug.cgi?id=2230890
CVE-2023-33953 https://nvd.nist.gov/vuln/detail/CVE-2023-33953
CVE-2023-33953.YML https://github.com/rubysec/ruby-advisory-db/blob/master/gems/grpc/CVE-2023-33953.yml
GHSA-496j-2rq6-j6cc https://github.com/advisories/GHSA-496j-2rq6-j6cc
RHSA-2024:10761 https://access.redhat.com/errata/RHSA-2024:10761
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-33953.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://cloud.google.com/support/bulletins#gcp-2023-022
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-27T17:54:21Z/ Found at https://cloud.google.com/support/bulletins#gcp-2023-022
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/advisories/GHSA-496j-2rq6-j6cc
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/grpc/CVE-2023-33953.yml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-33953
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://security.snyk.io/vuln/SNYK-RUBY-GRPC-5834442
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.30081
EPSS Score 0.00116
Published At May 30, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-30T21:01:33.648258+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/grpc/CVE-2023-33953.yml 38.6.0