DEBIAN-CVE-2026-31935

Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, flooding of craft HTTP2 continuation frames can lead to memory exhaustion, usually resulting in the Suricata process being shut down by the operating system. This issue has been patched in versions 7.0.15 and 8.0.4...

CVE-2026-31935

CVE-2026-31935 affects Suricata (IDS/IPS/NSM engine). The issue arises when flooding craft HTTP2 continuation frames leads to memory exhaustion, usually causing the Suricata process to be terminated by the OS. It is fixed in Suricata versions 7.0.15 and 8.0.4. Connected sources confirm the vulner...

CVE-2026-26311

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP connection manager FilterManager that allows for Zombie Stream Filter Execution. This issue creates a "Use-After-Free" UAF or state-corruption window where...

CVE-2026-33186

A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 :path pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed :path that omits the mandato...

SUSE CVE-2026-27141

Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic...

AZL-78656 CVE-2026-27141 affecting package buildah 1.41.4-6

Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic...

AZL-78653 CVE-2026-27141 affecting package azl-otel-collector 0.127.0-1

Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic...

AZL-78629 CVE-2026-27141 affecting package nmi 1.8.17-6

Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic...

AZL-78659 CVE-2026-27141 affecting package cri-o 1.30.1-1

Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic...

AZL-78680 CVE-2026-27141 affecting package azurelinux-image-tools 1.2.0-1

Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic...

CVE-2026-27141

The CVE-2026-27141 affects golang.org/x/net’s HTTP/2 frame handling. A missing nil check when sending frames in the 0x0a–0x0f range can cause a running server to panic. The description documents the root cause and symptom but does not specify affected versions, concrete impact scope, exploitation...

CVE-2026-27141

Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic...

CVE-2026-27141 Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net

Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic...

PT-2026-22177

Name of the Vulnerable Software and Affected Versions versions prior to 2026-27141 Description A missing nil check allows a server to panic when receiving specific HTTP/2 frames, specifically those ranging from 0x0a to 0x0f. This issue does not have any reported real-world incidents or estimated...

RockyLinux 10 : tomcat9 (RLSA-2025:11332)

The remote RockyLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2025:11332 advisory. tomcat: Incomplete fix for CVE-2024-50379 - RCE due to TOCTOU issue in JSP compilation CVE-2024-56337 tomcat: Apache Tomcat: DoS via malformed HTTP/2...

Denial Of Service (DoS)

Netty is vulnerable to Denial Of Service DoS. The vulnerability is due to improper handling of malformed HTTP/2 control frames due to a flaw in enforcing the max concurrent streams limit, leading to resource exhaustion and denial of service...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via malformed HTTP/2 control frames that manipulate the RSTSTREAM process. An attacker can exhaust server resources and disrupt service availability by rapidly sending specially craft...

RHEL 8 : tomcat (RHSA-2025:14177)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:14177 advisory. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages JSP technologies. Security Fixes: tomcat: Apache Tomcat DoS ...

tomcat: Apache Tomcat denial of service

A denial of service flaw was found in Apache Tomcat. An uncontrolled resource consumption vulnerability, where an HTTP/2 client fails to acknowledge the initial settings frame that reduces the maximum permitted concurrent streams, could result in a denial of service...

OESA-2025-1659 trafficserver security update

Apache Traffic Server is an OpenSource HTTP / HTTPS / HTTP/2 / QUIC reverse, forward and transparent proxy and cache. Security Fixes: Improper Input Validation vulnerability in Apache Traffic Server with malformed HTTP/2 frames.This issue affects Apache Traffic Server: from 9.0.0 through 9.2.2...