Moby spdystream v0.5.1 Patches Critical Memory Exhaustion Vulnerability (CVE-2026-35469)

A critical memory exhaustion vulnerability in the widely used `moby/spdystream` library has been patched, forcing a mandatory security update for countless dependent projects. The flaw, tracked as CVE-2026-35469, resides in the SPDY/3 frame parser, which fails to validate attacker-controlled counts and lengths before allocating memory. This allows a remote peer to send a small number of maliciously crafted control frames, triggering the allocation of gigabytes of memory and leading to a deterministic out-of-memory crash in any service using the library.

The vulnerability is a classic resource exhaustion attack vector, where a remote attacker can exploit a lack of input validation to destabilize or crash a process. The `moby/spdystream` library is a core component for handling SPDY protocol streams, a predecessor to HTTP/2, and is embedded in numerous container, networking, and cloud-native tools. The security advisory confirms that the issue is resolved in version v0.5.1, upgrading from the vulnerable v0.5.0.

This patch is not a routine dependency update but a critical security fix. The automated pull request from RenovateBot, a dependency management tool, highlights the urgency, labeling the update explicitly for security. The impact is broad, affecting any deployment where an untrusted remote peer can send SPDY frames. Organizations and developers must prioritize applying this update to mitigate the risk of denial-of-service attacks against their services, as the path to exploitation is straightforward and the consequence is a guaranteed service crash.