Libsoup: heap use-after-free in libsoup message queue handling during http/2 read completion

...

Security Bulletin: IBM Storage Ceph is vulnerable to CWE in Golang (CVE-2023-39325)

Summary Golang is used by IBM Storage Ceph in Grafana. CVE-2023-39325 Vulnerability Details CVEID:CVE-2023-39325 DESCRIPTION: A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is...

EulerOS Virtualization 2.13.0 : mod_http2 (EulerOS-SA-2025-2588)

According to the versions of the modhttp2 package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : In certain proxy configurations, a denial of service attack againstApache HTTP Server versions 2.4.26 through to 2.4.63 can be...

Moderate: Red Hat Security Advisory: libsoup3 security update

An update for libsoup3 is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available fo...

Ubuntu 22.04 LTS / 24.04 LTS / 25.04 / 25.10 : libsoup vulnerability (USN-7932-1)

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.04 / 25.10 host has packages installed that are affected by a vulnerability as referenced in the USN-7932-1 advisory. It was discovered libsoup incorrectly handled memory when handling specific HTTP/2 read and cancel sequences. An attacker could possib...

Exploit for Uncontrolled Resource Consumption in Ietf Http

cve-2023-44487 - http/2 rapid reset attack by 7pirqte wha...

RockyLinux 10 : libsoup3 (RLSA-2025:23139)

The remote RockyLinux 10 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2025:23139 advisory. libsoup: Heap Use-After-Free in libsoup message queue handling during HTTP/2 read completion CVE-2025-12105 Tenable has extracted the preceding description bloc...

DoS (Denial of Service) io.netty:netty-codec-http2 Dependency in Bamboo Data Center and Server

This High severity DoS Denial of Service vulnerability was introduced in versions 9.6.1, 10.2.0 of Bamboo Data Center and Server. This DoS Denial of Service vulnerability, with a CVSS Score of 8.2 and a CVSS Vector of: code:java...

libsoup: Heap Use-After-Free in libsoup message queue handling during HTTP/2 read completion

A flaw was found in the asynchronous message queue handling of the libsoup library, widely used by GNOME and WebKit-based applications to manage HTTP/2 communications. When network operations are aborted at specific timing intervals, an internal message queue item may be freed twice due to missin...

Security Bulletin: Netty HTTP/2 MadeYouReset Vulnerability Allows Bypass of Max Concurrent Streams, Enabling DDoS Attacks, affects watsonx.data

Summary Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max...

RLSA-2023:5869 Important: nodejs:18 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack Rapid Reset Attack CVE-2023-44487 A Rocky Enterprise Software Foundati...

Security Bulletin: gRPC HTTP/2 HPACK Desynchronization Vulnerability Allowing Header Leakage and Privilege Escalation, affects watsonx.data

Summary When gRPC encountered an exceeded header size error, it stopped parsing the remainder of the HPACK frame. This also prevented HPACK dynamic table updates from being processed, causing the sender and receiver HPACK tables to fall out of sync. In environments using an HTTP 2 proxy in front ...

RockyLinux 8 : nodejs:18 (RLSA-2023:5869)

The remote RockyLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2023:5869 advisory. HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack Rapid Reset Attack CVE-2023-44487 A Rocky Enterprise Software Foundation...

RockyLinux 9 : nodejs:18 (RLSA-2023:5849)

The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2023:5849 advisory. HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack Rapid Reset Attack CVE-2023-44487 nodejs: integrity checks according to...

Debian dla-4387 : libqt5concurrent5 - security update

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dla-4387 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4387-1 [email protected] https://www.debian.org/lts/security/...

Ubuntu 20.04 LTS / 22.04 LTS : H2O vulnerability (USN-7892-1)

The remote Ubuntu 20.04 LTS / 22.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-7892-1 advisory. It was discovered that H2O exhibited poor server resource management in its HTTP/2 protocol. An attacker could possibly use this issue to cause H2O to...

DoS (Denial of Service) io.netty:netty-codec-http2 Dependency Vulnerability in Crowd Data Center and Server

This High severity DoS Denial of Service vulnerability was introduced in version 7.1.0 of Crowd Data Center. This Improper Authorization vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N allows an unauthenticated attacker ...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses WebSphere Application Server Liberty which is affected by a denial of service with HTTP/2 and vulnerable to CVE-2025-36047.

Summary IBM Maximo Application Suite - Monitor Component uses WebSphere Application Server Liberty which is affected by a denial of service with HTTP/2 and vulnerable to CVE-2025-36047. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses netty-codec-http2-4.2.2.Final.jar which is vulnerable to CVE-2025-55163.

Summary IBM Maximo Application Suite - Monitor Component uses netty-codec-http2-4.2.2.Final.jar which is vulnerable to CVE-2025-55163. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-55163 DESCRIPTION: Netty is an asynchronous,...

container-tools:4.0 security and bug fix update

An update is available for module.crun, fuse-overlayfs, module.slirp4netns, python-podman, module.runc, container-selinux, module.podman, module.udica, module.fuse-overlayfs, cockpit-podman, module.conmon, containers-common, libslirp, criu, module.containers-common, crun, module.libslirp,...