SUSE SLED15 / SLES15 / openSUSE 15 Security Update : wireshark (SUSE-SU-2026:0237-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0237-1 advisory. - CVE-2026-0959: IEEE 802.11 dissector crash bsc1256734. - CVE-2026-0960: HTTP3 dissector infini...

MiracleLinux 8 : dotnet8.0-8.0.110-1.el8_10.ML.1 (AXSA:2024-8896:17)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-8896:17 advisory. dotnet: kestrel: closing an HTTP/3 stream can cause a race condition and lead to remote code execution CVE-2024-38229 dotnet: Multiple .NET componen...

CVE-2026-0960

HTTP3 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.2 allows denial of service...

AZL-74994 CVE-2026-0960 affecting package wireshark 4.4.7-1

HTTP3 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.2 allows denial of service...

CVE-2026-0960

HTTP3 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.2 allows denial of service...

CVE-2026-0960

HTTP3 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.2 allows denial of service...

EUVD-2026-2438

HTTP3 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.2 allows denial of service...

CVE-2026-0960

CVE-2026-0960 affects Wireshark 4.6.0–4.6.2 with an HTTP3 protocol dissector infinite loop that can cause denial of service. Connected advisories confirm the issue across distributions and indicate a fix was released in Wireshark 4.6.3 (e.g., Fedora/SUSE advisories, Debian DSA-6124-1). Impact is ...

CVE-2026-0960

HTTP3 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.2 allows denial of service...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of resource-limiting controls in the gRPC, HTTPS, and HTTP3 server implementations. An attacker can exhaust memory and cause the server to degrade or crash by opening...

CVE-2025-68151 CoreDNS gRPC/HTTPS/HTTP3 servers lack resource limits, enabling DoS via unbounded connections and oversized messages

CoreDNS is a DNS server that chains plugins. Prior to version 1.14.0, multiple CoreDNS server implementations gRPC, HTTPS, and HTTP/3 lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent...

CVE-2025-68151 CoreDNS gRPC/HTTPS/HTTP3 servers lack resource limits, enabling DoS via unbounded connections and oversized messages

CoreDNS is a DNS server that chains plugins. Prior to version 1.14.0, multiple CoreDNS server implementations gRPC, HTTPS, and HTTP/3 lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent...

CVE-2025-68151 CoreDNS gRPC/HTTPS/HTTP3 servers lack resource limits, enabling DoS via unbounded connections and oversized messages

CoreDNS is a DNS server that chains plugins. Prior to version 1.14.0, multiple CoreDNS server implementations gRPC, HTTPS, and HTTP/3 lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent...

curl: HTTP/3 Protocol Smuggling and Header Injection via CRLF in QPACK value conversion

A fundamental design flaw exists in how libcurl handles HTTP/3 QUIC response headers across all supported backends ngtcp2, quiche, openssl-quic. The vulnerability stems from the unsafe transcoding of binary QPACK headers HTTP/3 into the textual HTTP/1.1 format used internally by curl's pipeline...

CVE-2025-64702

quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section many unique header...

DEBIAN-CVE-2025-64702

quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section many unique header...

CVE-2025-64702

CVE-2025-64702 affects quic-go (Go QUIC implementation) and is documented across multiple feeds. The issue occurs in versions 0.56.0 and earlier where the HTTP/3 client and server decode QPACK HEADERS frames into http.Header without enforcing a decoded-header size limit, leading to memory exhaust...

EUVD-2025-202714

quic-go HTTP/3 QPACK Header Expansion DoS...

GHSA-G754-HX8W-X2G6 quic-go HTTP/3 QPACK Header Expansion DoS

Summary An attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section many unique header names and/or large values. The implementation builds an http.Header used on th...

BIT-NGINX-GATEWAY-2024-35200 NGINX HTTP/3 QUIC vulnerability

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate...