CVE-2016-7153 in Web Browser
Summary
by MITRE
The HTTP/2 protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a "HEIST" attack.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 09/08/2025
The CVE-2016-7153 vulnerability represents a significant security flaw in the HTTP/2 protocol implementation that exploits the fundamental mismatch between TCP congestion control mechanisms and HTTP content length determination. This vulnerability specifically targets how HTTP/2 handles content length information during transmission, creating an exploitable condition where attackers can infer sensitive data through careful analysis of network traffic patterns. The flaw emerges from the protocol's failure to properly account for TCP's congestion window size when determining whether content has been fully transmitted, which becomes particularly problematic in scenarios involving third-party cookie handling.
The technical exploitation of this vulnerability relies on the HEIST attack pattern where remote adversaries can reconstruct cleartext content by observing the timing and size characteristics of TCP packets during HTTP/2 communication. When browsers are configured to send third-party cookies, the vulnerability becomes more pronounced because the attacker can correlate the timing of cookie transmission with the underlying TCP congestion window behavior to deduce information about the content being transferred. This attack leverages the fact that HTTP/2's flow control mechanisms do not adequately consider the congestion window's role in signaling content completion, creating observable patterns that leak information about the data being transmitted.
The operational impact of CVE-2016-7153 extends beyond simple information disclosure, as it can enable sophisticated attacks that combine timing analysis with network monitoring to reconstruct sensitive data from seemingly innocuous HTTP/2 traffic. This vulnerability affects web browsers and servers that implement HTTP/2 protocol handling, particularly those that do not properly account for the relationship between TCP congestion control and HTTP content length determination. The attack vector is particularly concerning because it can be executed remotely without requiring privileged access or specialized tools, making it accessible to a broad range of threat actors.
Security mitigations for this vulnerability focus on implementing proper HTTP/2 flow control mechanisms that account for TCP congestion window behavior and content length signaling. Organizations should ensure that HTTP/2 implementations properly handle content length determination by incorporating additional validation checks that consider the underlying transport layer characteristics. The fix typically involves updating web server configurations and browser implementations to properly account for congestion window size in flow control decisions, preventing attackers from leveraging timing information to infer content details. This vulnerability aligns with CWE-200 (Information Exposure) and can be categorized under ATT&CK technique T1071.004 (Application Layer Protocol: DNS) when used in conjunction with other reconnaissance activities, though the primary concern remains the improper handling of TCP flow control in HTTP/2 contexts.