Lucene search
+L

417 matches found

RedHat Linux
RedHat Linux
added 3 days ago7 views

undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames

A flaw was found in undici. A malicious WebSocket server can exploit this by streaming numerous small or empty continuation frames. This can bypass per-frame and cumulative-size validation, leading to unbounded memory growth in the client process. The primary consequence is memory exhaustion,...

7.5CVSS6.9AI score0.00789EPSS
Exploits0References6
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-43643

Allocation of resources without limits vulnerability in elixir-mint mint allows a remote HTTP/2 server to exhaust memory on the client host and cause a denial of service. The Mint.HTTP2.handlecontinuation/3 function in lib/mint/http2.ex accumulates the header-block fragment carried by each HTTP/2...

6.3CVSS6.2AI score0.00305EPSS
Exploits0References4
CVE
CVE
added 4 days ago9 views

CVE-2026-59246

The CVE concerns elixir-mint mint: an unbounded chain of zero-length HTTP/2 CONTINUATION frames can bypass the header-block size cap in Mint.HTTP2.handle_continuation/3, causing unbounded memory growth on the client and eventual out-of-memory termination. The vulnerability arises because each CON...

6.3CVSS6.2AI score0.00305EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2026/07/02 12:3 a.m.5 views

netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood

A flaw was found in Netty. A remote user can trigger a Denial of Service DoS against a Netty HTTP/2 server by sending a flood of CONTINUATION frames. The server's lack of a limit on these frames, coupled with a bypass of size-based mitigations using zero-byte frames, allows an attacker to consume...

8.7CVSS6.8AI score0.01125EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/19 2:22 p.m.12 views

EUVD-2026-37747

undici WebSocket client vulnerable to denial of service via fragment count bypass...

7.5CVSS5.8AI score0.00789EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.28 views

PT-2026-50456

Name of the Vulnerable Software and Affected Versions undici versions 6.17.0 through 6.25.x undici versions 7.0.0 through 7.27.x undici versions 8.0.0 through 8.4.x Description The WebSocket client fails to limit the number of fragments in a message, only enforcing the maxPayloadSize on the...

7.5CVSS5.3AI score0.00789EPSS
Exploits0References145
Veracode
Veracode
added 2026/06/11 3:54 p.m.19 views

Infinite Loop

net/http is vulnerable to Infinite Loop. The vulnerability is due to improper handling of HTTP/2 SETTINGS frames, where receiving a SETTINGSMAXFRAMESIZE value of 0 causes the transport layer to enter an infinite loop while writing CONTINUATION frames, leading to excessive resource consumption and...

7.5CVSS5.2AI score0.00781EPSS
Exploits0References16Affected Software2
NVD
NVD
added 2026/06/06 10:16 a.m.17 views

CVE-2026-10725

Protocol::HTTP2 versions before 1.13 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory the "HTTP/2 bomb". The headersdecode method materialises a full key+value copy per indexe...

7.5CVSS0.00414EPSS
Exploits0References6
OSV
OSV
added 2026/06/06 10:16 a.m.9 views

UBUNTU-CVE-2026-10725

Protocol::HTTP2 versions before 1.13 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory the "HTTP/2 bomb". The headersdecode method materialises a full key+value copy per indexe...

7.5CVSS5.4AI score0.00414EPSS
Exploits0References7
CVE
CVE
added 2026/06/06 9:14 a.m.78 views

CVE-2026-10725

Protocol::HTTP2 for Perl (versions up to 1.12) is vulnerable to an HTTP/2 Bomb. The inbound HPACK path lacks a header-list size limit; headers_decode materialises a full key+value copy per indexed reference with no running size check, and stream_header_block_add appends every CONTINUATION frame u...

7.5CVSS5.7AI score0.00414EPSS
Exploits0References6Affected Software1
Cvelist
Cvelist
added 2026/06/06 9:14 a.m.44 views

CVE-2026-10725 Protocol::HTTP2 versions before 1.13 for Perl is vulnerable to a HTTP/2 Bomb

Protocol::HTTP2 versions before 1.13 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory the "HTTP/2 bomb". The headersdecode method materialises a full key+value copy per indexe...

0.00414EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/06 12:0 a.m.35 views

PT-2026-47148

Name of the Vulnerable Software and Affected Versions Protocol::HTTP2 versions prior to 1.13 Description The software is susceptible to an HTTP/2 Bomb, where a small request can expand into large server memory consumption. This occurs because the inbound HPACK path lacks a header-list size limit...

7.5CVSS5.7AI score0.00414EPSS
Exploits0References26
RedhatCVE
RedhatCVE
added 2026/06/05 7:46 p.m.11 views

CVE-2026-33814

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGSMAXFRAMESIZE with a value of 0...

7.5CVSS5.4AI score0.00781EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:19 p.m.11 views

CVE-2026-49754

Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client HTTP/2 CONTINUATION flood. When Mint's HTTP/2 receive path observes a HEADERS frame without the ENDHEADERS flag, the unparsed...

8.2CVSS5.6AI score0.00384EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added 2026/06/04 12:39 p.m.3 views

net/http/internal/http2: golang: golang.org/x/net: Go HTTP/2: Denial of Service via malformed SETTINGS_MAX_FRAME_SIZE frame

A flaw was found in the HTTP/2 protocol implementation within the Go standard library golang.org/x/net and net/http/internal/http2. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP/2 SETTINGS frame with the SETTINGSMAXFRAMESIZE parameter set to zero. This...

7.5CVSS6.1AI score0.00781EPSS
Exploits0References9
Tenable Nessus
Tenable Nessus
added 2026/06/04 12:0 a.m.10 views

HCL BigFix Remote Control <= 10.1.0.0442 Multiple Vulnerabilities

The version of HCL BigFix Remote Control running on the remote host is 10.1.0.0442 or earlier. It is, therefore, affected by multiple vulnerabilities: - A misconfigured Content Security Policy CSP in HCL BigFix Remote Control Server WebUI versions 10.1.0.0442 and earlier fails to define directive...

8.7CVSS6.6AI score0.01125EPSS
Exploits1References4
NVD
NVD
added 2026/06/02 4:16 p.m.20 views

CVE-2026-49754

Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client HTTP/2 CONTINUATION flood. When Mint's HTTP/2 receive path observes a HEADERS frame without the ENDHEADERS flag, the unparsed...

8.2CVSS0.00384EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/06/02 2:15 p.m.11 views

CVE-2026-49754 HTTP/2 CONTINUATION flood in Mint client via unbounded header-block accumulation

Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client HTTP/2 CONTINUATION flood. When Mint's HTTP/2 receive path observes a HEADERS frame without the ENDHEADERS flag, the unparsed...

8.2CVSS5.9AI score0.00384EPSS
Exploits0References4
OSV
OSV
added 2026/06/02 2:15 p.m.2 views

CVE-2026-49754 HTTP/2 CONTINUATION flood in Mint client via unbounded header-block accumulation

Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client HTTP/2 CONTINUATION flood. When Mint's HTTP/2 receive path observes a HEADERS frame without the ENDHEADERS flag, the unparsed...

8.2CVSS6AI score0.00384EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/06/02 12:0 a.m.21 views

PT-2026-45787

Name of the Vulnerable Software and Affected Versions elixir-mint versions 0.1.0 through 1.8.x Description An issue exists where attacker-controlled HTTP/2 servers can cause memory exhaustion in a client. This occurs because the HTTP/2 receive path does not cap the accumulator when a HEADERS fram...

8.2CVSS6AI score0.00384EPSS
Exploits0References13
Rows per page
Query Builder