Moby spdystream v0.5.1 Patches Critical Memory Exhaustion Vulnerability (CVE-2026-35469)

A critical security flaw in the widely used `moby/spdystream` library exposes services to remote memory exhaustion attacks. The vulnerability, tracked as CVE-2026-35469, resides in the SPDY/3 frame parser, which fails to validate attacker-controlled counts and lengths before allocating memory. This allows a remote peer to send a small number of maliciously crafted control frames, forcing the target process to allocate gigabytes of memory and ultimately crash due to an out-of-memory condition.

The flaw affects the `github.com/moby/spdystream` library prior to version 0.5.1. The issue is not theoretical; it provides a direct vector for a denial-of-service attack against any service utilizing this library for SPDY stream handling. The patch in version 0.5.1 adds the necessary validation to prevent the uncontrolled memory allocation, closing the security advisory GHSA-pc3f-x583-g7j2.

This update is marked as a security priority in dependency management systems. The vulnerability's reach is significant due to spdystream's role in container and networking toolchains, often as a transitive dependency. Organizations and developers must immediately review their dependency graphs to identify and upgrade vulnerable instances, as the exploit requires no authentication and can lead to service instability with minimal attacker effort.