http2 bug

About this tag
The http2 bug tag covers discussions about a timing vulnerability in Qt's HTTP/2 implementation, tracked as CVE-2024-39936. This bug creates a race condition where code can make security-relevant decisions before a TLS session is fully confirmed, potentially leaking confidential data to the wrong endpoint during HTTP/2 redirects. The issue is not a cryptographic flaw but a timing gap in connection establishment. Threads under this tag focus on the technical details of the vulnerability, its impact on TLS redirects, and mitigation strategies for developers using Qt.
  1. Qt CVE-2024-39936: Timing bug in HTTP/2 risks TLS redirects

    Qt's HTTP/2 handling bug tracked as CVE-2024-39936 lets code make security-relevant decisions before a TLS session has been confirmed, creating a timing gap that can leak confidential data to the wrong endpoint when HTTP/2 and redirects are involved. Background In early July 2024 a...