Security Patch: Moby/spdystream Library Fixes Critical Memory Allocation Vulnerability (CVE-2026-35469)

A critical security vulnerability in the widely used `moby/spdystream` library has been patched, forcing a mandatory update for any service relying on it. The flaw, tracked as CVE-2026-35469, resides in the SPDY/3 frame parser and allows a remote attacker to trigger uncontrolled memory allocation, potentially causing a process to consume gigabytes of memory. This is not a theoretical risk; any service accepting SPDY frames from an external peer is directly exposed to a denial-of-service attack.

The vulnerability stems from a failure to validate attacker-controlled counts and lengths before allocating memory. The `spdystream` library, a dependency for numerous Go-based applications and container tooling, has released version v0.5.1 to address this issue. The update is a minor version bump from v0.5.0, but the change is security-critical. The GitHub security advisory explicitly warns that a remote peer capable of sending SPDY frames can exploit this flaw.

This patch triggers immediate action across the software supply chain. Development and DevOps teams must now audit their dependency graphs for `github.com/moby/spdystream` and enforce the upgrade to v0.5.1. The advisory underscores the necessity of checking release notes for any additional required changes before merging the update. Failure to apply this patch leaves backend services vulnerable to resource exhaustion attacks from any connected client, a significant operational security risk for cloud-native and networked applications.