CVE-2018-6346

Step 1: Malicious Request Creation: An attacker crafts a specially crafted HTTP/2 PRIORITY frame. This frame specifies a set of stream dependencies that, when combined, create a circular dependency.

Step 2: Frame Delivery: The attacker sends the malicious PRIORITY frame to a Proxygen instance.

Step 3: Priority Tree Processing: Proxygen receives the frame and attempts to update its internal priority tree based on the attacker's instructions.

Step 4: Circular Dependency Detection Failure: The Proxygen implementation fails to detect the circular dependency introduced by the attacker's frame.

Step 5: Resource Exhaustion: The server enters an infinite loop or consumes excessive resources attempting to resolve the circular dependency. This might involve repeated calculations, memory allocations, or CPU cycles.

Step 6: Denial of Service: The server's resources are exhausted, leading to a denial-of-service condition. Legitimate requests are either dropped or significantly delayed, rendering the service unusable.

The vulnerability stems from a flaw in Proxygen's HTTP/2 priority handling. Specifically, the code fails to properly validate and prevent the creation of circular dependencies within the priority tree. When an attacker crafts a malicious HTTP/2 priority frame that establishes a circular dependency (e.g., stream A depends on B, B depends on C, and C depends on A), the server enters an infinite loop or consumes excessive resources attempting to resolve the dependency graph. This can lead to CPU exhaustion, memory allocation failures, and ultimately, a DoS condition. The root cause is a lack of proper input validation and cycle detection within the priority tree management logic.