When was CVE-2023-44487 disclosed?

CVE-2023-44487 was first published in the National Vulnerability Database on October 10, 2023, with the most recent update on May 12, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

Is CVE-2023-44487 actively exploited?

Yes. CISA added CVE-2023-44487 to the Known Exploited Vulnerabilities catalog on October 10, 2023, affecting IETF HTTP/2. KEV listing indicates confirmed exploitation in the wild; this CVE warrants immediate patching attention.

What is the CVSS score of CVE-2023-44487?

CVE-2023-44487 has a CVSS v3 base score of 7.5 (NVD). EchelonGraph synthesises NVD + CISA KEV + FIRST EPSS + GHSA into a combined EG score of 9.0.

Which products are affected by CVE-2023-44487?

CVE-2023-44487 affects IETF HTTP/2. The full affected-products list, including version ranges and fixed versions, is shown in the Affected Packages section of this page.

How do I remediate CVE-2023-44487?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2023-44487, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

CVE-2023-44487

HIGHNVD 7.59.0▲

7.5

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVSS v3: 7.5
EG Score: 9.0(high)
EPSS: 100.0%
KEV: ⚠ Exploited

Advisory Details (10)

Auto-updated May 20, 2026

Patch available. Sources: redhat.

generic

Biggest DDoSes of all time generated by protocol 0-day in HTTP/2 - Ars Technica

https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/

redhat Patch Available

cve-details

https://access.redhat.com/security/cve/cve-2023-44487

generic

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

http://www.openwall.com/lists/oss-security/2023/10/20/8

generic

oss-security - CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST

http://www.openwall.com/lists/oss-security/2023/10/19/6

generic

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

http://www.openwall.com/lists/oss-security/2023/10/18/8

generic

oss-security - Vulnerability in Jenkins

http://www.openwall.com/lists/oss-security/2023/10/18/4

generic

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

http://www.openwall.com/lists/oss-security/2023/10/13/9

generic

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

http://www.openwall.com/lists/oss-security/2023/10/13/4

generic

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

http://www.openwall.com/lists/oss-security/2023/10/10/7

generic

oss-security - CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

http://www.openwall.com/lists/oss-security/2023/10/10/6

Vendor Advisories for CVE-2023-44487(4)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Is Your Infrastructure Affected by CVE-2023-44487?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2023-44487

Published

Last Modified

Advisory Details (10)

Biggest DDoSes of all time generated by protocol 0-day in HTTP/2 - Ars Technica

cve-details

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

oss-security - CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

oss-security - Vulnerability in Jenkins

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

oss-security - CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

Vendor Advisories for CVE-2023-44487(4)

Frequently asked(6)

Dependency Blast Radius

Is Your Infrastructure Affected by CVE-2023-44487?

Same vendor

CVE-2023-44487

📅 Published

🔄 Last Modified

📋 Advisory Details (10)

Biggest DDoSes of all time generated by protocol 0-day in HTTP/2 - Ars Technica

cve-details

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

oss-security - CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

oss-security - Vulnerability in Jenkins

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

oss-security - CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

📣 Vendor Advisories for CVE-2023-44487(4)

❓ Frequently asked(6)

Dependency Blast Radius

Is Your Infrastructure Affected by CVE-2023-44487?

🔗 Related CVEs(same product + same vendor)

Same vendor

Published

Last Modified

Advisory Details (10)

Vendor Advisories for CVE-2023-44487(4)

Frequently asked(6)

Related CVEs(same product + same vendor)