PT-2026-28320

Name of the Vulnerable Software and Affected Versions Node.js versions 20.x through 25.x Description An incomplete fix allows bypassing of intended write restrictions when using the Permission Model with restricted --allow-fs-write. Specifically, the FileHandle.chmod and FileHandle.chown methods...

PT-2026-26134

Name of the Vulnerable Software and Affected Versions nghttp2 versions prior to 1.68.1 Description nghttp2 is a C implementation of the Hypertext Transfer Protocol version 2. Versions of nghttp2 prior to 1.68.1 are susceptible to a denial-of-service condition. This occurs because the library does...

PT-2026-3360

Name of the Vulnerable Software and Affected Versions Node.js versions affected versions not specified Description A flaw in Node.js TLS error handling can allow remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback are in use. Synchronous exceptions thro...

Unity Linux 20.1070e Security Update: nodejs (UTSA-2025-993344)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-993344 advisory. A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by...

SUSE SLES15 Security Update : libsoup (SUSE-SU-2025:4514-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:4514-1 advisory. - CVE-2025-12105: Fixed heap use-after-free in message queue handling during HTTP/2 read completion bsc1252555 Tenable has extracte...

SUSE-SU-2025:4514-1 Security update for libsoup

This update for libsoup fixes the following issues: - CVE-2025-12105: Fixed heap use-after-free in message queue handling during HTTP/2 read completion bsc1252555...

Libsoup: heap use-after-free in libsoup message queue handling during http/2 read completion

...

Security Bulletin: IBM Storage Ceph is vulnerable to CWE in Golang (CVE-2023-39325)

Summary Golang is used by IBM Storage Ceph in Grafana. CVE-2023-39325 Vulnerability Details CVEID:CVE-2023-39325 DESCRIPTION: A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is...

EulerOS Virtualization 2.13.0 : mod_http2 (EulerOS-SA-2025-2588)

According to the versions of the modhttp2 package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : In certain proxy configurations, a denial of service attack againstApache HTTP Server versions 2.4.26 through to 2.4.63 can be...

Moderate: Red Hat Security Advisory: libsoup3 security update

An update for libsoup3 is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available fo...

Ubuntu 22.04 LTS / 24.04 LTS / 25.04 / 25.10 : libsoup vulnerability (USN-7932-1)

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.04 / 25.10 host has packages installed that are affected by a vulnerability as referenced in the USN-7932-1 advisory. It was discovered libsoup incorrectly handled memory when handling specific HTTP/2 read and cancel sequences. An attacker could possib...

Exploit for Uncontrolled Resource Consumption in Ietf Http

cve-2023-44487 - http/2 rapid reset attack by 7pirqte wha...

RockyLinux 10 : libsoup3 (RLSA-2025:23139)

The remote RockyLinux 10 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2025:23139 advisory. libsoup: Heap Use-After-Free in libsoup message queue handling during HTTP/2 read completion CVE-2025-12105 Tenable has extracted the preceding description bloc...

DoS (Denial of Service) io.netty:netty-codec-http2 Dependency in Bamboo Data Center and Server

This High severity DoS Denial of Service vulnerability was introduced in versions 9.6.1, 10.2.0 of Bamboo Data Center and Server. This DoS Denial of Service vulnerability, with a CVSS Score of 8.2 and a CVSS Vector of: code:java...

libsoup: Heap Use-After-Free in libsoup message queue handling during HTTP/2 read completion

A flaw was found in the asynchronous message queue handling of the libsoup library, widely used by GNOME and WebKit-based applications to manage HTTP/2 communications. When network operations are aborted at specific timing intervals, an internal message queue item may be freed twice due to missin...

Security Bulletin: Netty HTTP/2 MadeYouReset Vulnerability Allows Bypass of Max Concurrent Streams, Enabling DDoS Attacks, affects watsonx.data

Summary Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max...

RLSA-2023:5869 Important: nodejs:18 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack Rapid Reset Attack CVE-2023-44487 A Rocky Enterprise Software Foundati...

Security Bulletin: gRPC HTTP/2 HPACK Desynchronization Vulnerability Allowing Header Leakage and Privilege Escalation, affects watsonx.data

Summary When gRPC encountered an exceeded header size error, it stopped parsing the remainder of the HPACK frame. This also prevented HPACK dynamic table updates from being processed, causing the sender and receiver HPACK tables to fall out of sync. In environments using an HTTP 2 proxy in front ...

RockyLinux 8 : nodejs:18 (RLSA-2023:5869)

The remote RockyLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2023:5869 advisory. HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack Rapid Reset Attack CVE-2023-44487 A Rocky Enterprise Software Foundation...

RockyLinux 9 : nodejs:18 (RLSA-2023:5849)

The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2023:5849 advisory. HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack Rapid Reset Attack CVE-2023-44487 nodejs: integrity checks according to...