Lighttpd 1.4.56 - 1.4.66 Resource Leak Denial of Service PoC

Title: Lighttpd 1.4.56 - 1.4.66 Resource Leak Denial of Service PoC
Advisory ID: ZSL-2026-5968
Type: Local/Remote
Impact: DoS
Risk: (3/5)
Release Date: 23.01.2026

Summary

lighttpd (pronounced /lighty/) is a secure, fast, compliant, and very flexible web server that has been optimized for high-performance environments. lighttpd uses memory and CPU efficiently and has lower resource use than other popular web servers. Its advanced feature-set (FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and much more) make lighttpd the perfect web server for all systems, small and large.

Description

CVE-2022-41556 is a resource exhaustion vulnerability in lighttpd 1.4.56 - 1.4.66 affecting gateway backends such as FastCGI. When handling an HTTP/1.1 request with chunked transfer encoding and request-body streaming enabled, lighttpd mishandles an anomalous client disconnect (RDHUP / half-closed TCP connection) before the terminating chunk is sent. In this state, the gateway handler can incorrectly return HANDLER_WAIT_FOR_EVENT without transitioning to an error or cleanup path, leaving the backend connection slot permanently allocated. By repeatedly opening such malformed connections, an attacker can exhaust available backend slots, causing new dynamic requests to hang indefinitely and resulting in a denial of service that persists until the server is restarted.

Vendor

Glenn Strauss - https://www.lighttpd.net

Affected Version

1.4.56 - 1.4.66

Tested On

lighttpd 1.4.64

Vendor Status

[17.09.2022] Fixed version 1.4.67 released.

PoC

lightslot.py

Credits

Exploit coded by Gjoko Krstic - <[email protected]>

References

[1] https://www.cve.org/CVERecord?id=CVE-2022-41556
[2] https://www.lighttpd.net/2022/9/17/1.4.67/
[3] https://bugzilla.redhat.com/show_bug.cgi?id=2130967
[4] https://packetstorm.news/files/id/214292/

Changelog

[23.01.2026] - Initial release

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: [email protected]