Moby spdystream Library Exposes Critical Memory Exhaustion Flaw (CVE-2026-35469)

A critical security vulnerability in the widely used `moby/spdystream` library exposes services to remote memory exhaustion attacks. The flaw, tracked as CVE-2026-35469, resides in the SPDY/3 frame parser, which fails to validate attacker-controlled data before allocating system memory. This allows a remote peer to send a small number of maliciously crafted control frames, forcing a target process to allocate gigabytes of memory and ultimately crash due to an out-of-memory condition.

The vulnerability is present in the Go library `github.com/moby/spdystream` versions prior to v0.5.1. The issue was addressed in the newly released v0.5.1 patch, which adds proper validation of frame counts and lengths. The security advisory was published via GitHub, and the fix has been automatically integrated into dependent projects via automated dependency management tools like RenovateBot, as evidenced by pull requests being opened and closed to update the module.

The flaw represents a classic denial-of-service vector with a high impact on availability. Any service using the vulnerable spdystream library to handle SPDY/3 traffic is potentially at risk if exposed to untrusted networks or clients. The automated patching process highlights the critical role of dependency automation in the software supply chain, but also underscores the latent risk when such a core networking component contains a remotely exploitable memory corruption bug.