CVE-2026-39865 Axios HTTP/2 Session Cleanup State Corruption Vulnerability

Axios is a promise based HTTP client for the browser and Node.js. Starting in version 1.13.0 and prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability...

CVE-2026-39865

Axios is a promise based HTTP client for the browser and Node.js. Starting in version 1.13.0 and prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability...

Security update for dnsdist (low)

openSUSE security update: security update for dnsdist ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20461-1 Rating: low References: bsc1250054 bsc1253852 Cross-References: CVE-2025-30187 CVE-2025-8671 CVSS scores: CVE-2025-30187 SUSE : 3.7...

SUSE SLES15 / openSUSE 15 Security Update : google-cloud-sap-agent (SUSE-SU-2026:1194-1)

The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2026:1194-1 advisory. This update for google-cloud-sap-agent fixes the following issue: Update to google-cloud-sap-agent 3.12 bsc1259816: -...

Security update for ignition

This update for ignition fixes the following issue: CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo- header bsc1260251 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST...

SUSE-SU-2026:1200-1 Security update for ignition

This update for ignition fixes the following issue: - CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo- header bsc1260251...

Exploit for CVE-2026-35616

CVE-2026-35616 - FortiClient EMS Vulnerability Detector !Py...

CVE-2026-31935

Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, flooding of craft HTTP2 continuation frames can lead to memory exhaustion, usually resulting in the Suricata process being shut down by the operating system. This issue has been patched in versions 7.0.15 and 8.0.4...

DEBIAN-CVE-2026-31935

Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, flooding of craft HTTP2 continuation frames can lead to memory exhaustion, usually resulting in the Suricata process being shut down by the operating system. This issue has been patched in versions 7.0.15 and 8.0.4...

UBUNTU-CVE-2026-31935

Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, flooding of craft HTTP2 continuation frames can lead to memory exhaustion, usually resulting in the Suricata process being shut down by the operating system. This issue has been patched in versions 7.0.15 and 8.0.4...

CVE-2026-31935 Suricata http2: unbounded resource consumption

Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, flooding of craft HTTP2 continuation frames can lead to memory exhaustion, usually resulting in the Suricata process being shut down by the operating system. This issue has been patched in versions 7.0.15 and 8.0.4...

CVE-2026-31935

CVE-2026-31935 affects Suricata (IDS/IPS/NSM engine). The issue arises when flooding craft HTTP2 continuation frames leads to memory exhaustion, usually causing the Suricata process to be terminated by the OS. It is fixed in Suricata versions 7.0.15 and 8.0.4. Connected sources confirm the vulner...

SUSE-SU-2026:20995-1 Security update for dnsdist

This update for dnsdist fixes the following issues: Update to dnsdist 1.9.11: - CVE-2025-8671: add mitigations for the HTTP/2 MadeYouReset attack bsc1253852. - CVE-2025-30187: denial of service via crafted DoH exchange bsc1250054...

Suricata 安全漏洞

Suricata is a network IDS, IPS, and NSM engine developed by the Open Information Security Foundation. Versions of Suricata prior to 7.0.15 and 8.0.4 contained security vulnerabilities. These vulnerabilities were caused by the flooding of specially crafted HTTP2 continuation frames, which could le...

JLSEC-2026-20

Hyperium Hyper before 0.14.19 does not allow for customization of the maxheaderlistsize method in the H2 third-party software, allowing attackers to perform HTTP2 attacks...

EUVD-2026-17403

When the earlyacldrop earlyACLDrop in Lua option is disabled default is enabled on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL...

SUSE CVE-2026-33871

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service DoS against a Netty HTTP/2 server by sending a flood of CONTINUATION frames. The server's lack of a limit on the number of...

EUVD-2026-17176

A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOWUPDATE frames on stream 0 connection-level that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerabili...

CVE-2026-21714

CVE-2026-21714 corresponds to a memory leak in the Node.js HTTP/2 server triggered by WINDOW_UPDATE on stream 0, leading to resource exhaustion. The issue affects HTTP/2 users on Node.js 20.x, 22.x, 24.x and 25.x and is addressed in the March 24, 2026 security releases for the affected release li...

CVE-2026-21714

A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOWUPDATE frames on stream 0 connection-level that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerabili...