CVE-2022-41723 is a high-severity vulnerability in the Go standard library's net/http package, specifically affecting the HTTP/2 implementation. The issue arises from uncontrolled resource consumption in the HPACK decoder, which is responsible for decompressing HTTP/2 header fields. An attacker can craft malicious HTTP/2 streams that trigger excessive CPU usage during HPACK decoding. This can lead to a denial of service (DoS) condition by exhausting CPU resources with only a small number of crafted requests. The vulnerability affects all Go versions prior to 1.20.0-0, meaning any application or service using these versions of the Go net/http library for HTTP/2 communication is potentially vulnerable. The CVSS v3.1 base score is 7.5, indicating a high impact primarily on availability, with no impact on confidentiality or integrity. The attack vector is network-based (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), making exploitation relatively straightforward. There are no known exploits in the wild as of the published date, but the vulnerability's nature makes it a significant risk for services exposed to untrusted HTTP/2 traffic. Since the vulnerability targets the HPACK decoder, which is integral to HTTP/2 header processing, the impact is on the availability of services relying on Go's net/http package for HTTP/2, potentially causing service outages or degraded performance under attack.

For European organizations, the impact of CVE-2022-41723 could be substantial, especially for those running web services, APIs, or microservices built with Go that utilize HTTP/2. Such services could be disrupted by attackers sending crafted HTTP/2 requests, leading to denial of service and impacting business continuity. This is particularly critical for sectors relying on high availability and real-time data processing, such as financial services, e-commerce, telecommunications, and public sector digital services. The vulnerability could also affect cloud service providers and SaaS platforms hosted in Europe that use Go-based HTTP/2 servers, potentially causing widespread service degradation or outages. Given the ease of exploitation (no authentication or user interaction required), attackers could launch automated attacks at scale. This could lead to reputational damage, financial losses, and regulatory scrutiny under GDPR if service disruptions affect data availability or processing. Additionally, the vulnerability could be leveraged as part of multi-vector attacks targeting critical infrastructure or government services within Europe.

European organizations should prioritize updating the Go runtime and net/http package to version 1.20.0 or later, where this vulnerability is patched. For environments where immediate upgrading is not feasible, implementing network-level mitigations such as rate limiting HTTP/2 requests, especially from untrusted sources, can reduce the risk of exploitation. Deploying Web Application Firewalls (WAFs) or HTTP/2-aware proxies that can detect and block anomalous HPACK header compression patterns may help mitigate attack attempts. Monitoring CPU usage and HTTP/2 traffic patterns for unusual spikes can provide early detection of exploitation attempts. Organizations should also review their incident response plans to include scenarios involving HTTP/2 DoS attacks. For critical services, consider temporarily disabling HTTP/2 support if the risk outweighs the benefits until patches are applied. Finally, ensure that all Go-based applications are built with updated dependencies and that continuous vulnerability scanning is integrated into the development lifecycle to catch such issues promptly.