Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2022-41556

CVE-2022-41556: Lighttpd Denial of Service Vulnerability

CVE-2022-41556 is a denial of service flaw in Lighttpd versions 1.4.56 through 1.4.66 caused by resource leaks that enable connection-slot exhaustion. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2022-41556 Overview

A resource leak vulnerability exists in gw_backend.c in lighttpd versions 1.4.56 through 1.4.66 that could lead to a denial of service condition through connection-slot exhaustion. The vulnerability is triggered after a large amount of anomalous TCP behavior by clients and is related to RDHUP (Remote Disconnect Hang Up) mishandling in certain HTTP/1.1 chunked transfer situations. Deployments using mod_fastcgi are particularly affected by this issue. The vulnerability has been addressed in lighttpd version 1.4.67.

Critical Impact

This resource exhaustion vulnerability can render lighttpd web servers unavailable by exhausting all available connection slots through malicious TCP behavior, leading to complete service denial for legitimate users.

Affected Products

  • lighttpd versions 1.4.56 through 1.4.66
  • Fedora Project Fedora 35

Discovery Timeline

  • 2022-10-06 - CVE CVE-2022-41556 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-41556

Vulnerability Analysis

This vulnerability represents a classic resource leak scenario in the lighttpd web server's gateway backend handling code. The flaw manifests when processing HTTP/1.1 requests with chunked transfer encoding under specific network conditions. When clients exhibit anomalous TCP behavior, the server fails to properly release connection resources, leading to gradual resource depletion.

The core issue lies in the improper handling of RDHUP (Remote Disconnect Hang Up) events during chunked HTTP/1.1 transfers. RDHUP is a socket notification mechanism that indicates the remote peer has closed its end of the connection for writing. When lighttpd receives these signals in certain chunked transfer scenarios, it fails to properly clean up the associated connection slots, causing them to remain allocated indefinitely.

Root Cause

The root cause is classified as CWE-401 (Missing Release of Memory after Effective Lifetime). In gw_backend.c, the code path responsible for handling backend gateway connections does not properly release connection resources when encountering RDHUP events during HTTP/1.1 chunked transfers. This results in connection slots being held in an unusable state, gradually consuming all available connection capacity.

The issue specifically affects the interaction between the frontend HTTP connection handling and the backend FastCGI/proxy communication layer. When the remote client exhibits unusual TCP behavior (such as sending RST packets or half-closing connections during chunked transfers), the backend connection state machine fails to transition properly to release the associated resources.

Attack Vector

The attack can be executed remotely over the network without authentication or user interaction. An attacker would need to establish multiple TCP connections to the vulnerable lighttpd server and deliberately exhibit anomalous TCP behavior during HTTP/1.1 chunked transfer requests.

The attack methodology involves:

  1. Establishing HTTP/1.1 connections to the target server
  2. Initiating requests that utilize chunked transfer encoding to backend modules (such as mod_fastcgi)
  3. Manipulating TCP connection behavior (half-closing, sending unexpected packets, or timing manipulation)
  4. Repeating the process to gradually exhaust available connection slots

As connection slots become exhausted, the server becomes unable to accept new legitimate connections, resulting in denial of service.

Detection Methods for CVE-2022-41556

Indicators of Compromise

  • Unusual increase in half-open or stuck TCP connections on lighttpd ports (typically 80/443)
  • Connection pool exhaustion warnings or errors in lighttpd server logs
  • Gradual increase in memory consumption without corresponding traffic increase
  • Legitimate client connections being refused with "connection refused" or timeout errors

Detection Strategies

  • Monitor lighttpd connection pool utilization metrics for abnormal patterns approaching maximum thresholds
  • Implement connection tracking to identify clients exhibiting unusual TCP behavior patterns during chunked transfers
  • Configure alerting on sudden increases in connection establishment rates combined with low request completion rates
  • Review server logs for patterns indicating incomplete HTTP/1.1 chunked transfers

Monitoring Recommendations

  • Set up continuous monitoring of active connection counts versus configured connection limits
  • Implement network-level monitoring for anomalous TCP state patterns (excessive FIN_WAIT, CLOSE_WAIT states)
  • Deploy application performance monitoring to track request completion rates versus connection establishment rates
  • Configure real-time alerting when connection utilization exceeds 80% of maximum configured slots

How to Mitigate CVE-2022-41556

Immediate Actions Required

  • Upgrade lighttpd to version 1.4.67 or later immediately
  • Review current connection pool utilization to ensure no ongoing exploitation
  • Implement connection rate limiting at the network or load balancer level as a temporary measure
  • Consider temporarily disabling or restricting access to mod_fastcgi endpoints if immediate patching is not possible

Patch Information

The vulnerability is fixed in lighttpd version 1.4.67. The fix addresses the RDHUP handling logic in gw_backend.c to ensure proper resource cleanup under all connection termination scenarios. Organizations should upgrade to this version or later as soon as possible.

The specific fix can be reviewed in the Lighttpd Commit Update. A comparison of changes between the vulnerable and patched versions is available in the Lighttpd Version Comparison.

For Fedora users, updated packages are available through the Fedora Package Announcement. Gentoo users should refer to the Gentoo GLSA Advisory.

Workarounds

  • Implement aggressive connection timeouts to automatically release stuck connections
  • Deploy a reverse proxy or load balancer in front of lighttpd to filter anomalous connection behavior
  • Configure server.max-connections to a lower value with automatic connection cleanup to limit impact
  • Use firewall rules to rate-limit new connections per source IP address
bash
# Configuration example for connection limits
# Add to lighttpd.conf to mitigate connection exhaustion
server.max-connections = 1024
server.max-keep-alive-requests = 100
server.max-keep-alive-idle = 30
server.event-handler = "linux-sysepoll"

# Network-level rate limiting using iptables
iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 50 -j DROP
iptables -A INPUT -p tcp --dport 443 -m connlimit --connlimit-above 50 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne