A vulnerability was found in HTTP/2. An attacker can open a HTTP/2 window so the peer can send without constraint. The TCP window remains closed so the peer cannot write the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the server's queue is setup, the responses can consume excess memory, CPU, or both, potentially leading to a denial of service. The highest threat from this vulnerability is to system availability.