Lucene search
K

113 matches found

RedHat Linux
RedHat Linux
added 2 days ago3 views

httpd: httpd: HTTP/2 Remote Denial of Service via compression bomb and Slowloris-style attack

A flaw was found in HTTP/2, affecting various web servers. A remote attacker can exploit this vulnerability by combining an HPACK compression bomb with a zero-byte flow-control window. This technique allows a small amount of data to expand into large memory allocations on the server, which are th...

7.5CVSS7.1AI score0.11471EPSS
Exploits8References6
RedHat Linux
RedHat Linux
added 3 days ago5 views

httpd: httpd: HTTP/2 Remote Denial of Service via compression bomb and Slowloris-style attack

A flaw was found in HTTP/2, affecting various web servers. A remote attacker can exploit this vulnerability by combining an HPACK compression bomb with a zero-byte flow-control window. This technique allows a small amount of data to expand into large memory allocations on the server, which are th...

7.5CVSS7.1AI score0.11471EPSS
Exploits8References6
OSV
OSV
added 4 days ago4 views

EEF-CVE-2026-58226 Unauthenticated denial-of-service via unbounded HPACK integer decoding in hpax

Summary Inefficient Algorithmic Complexity vulnerability in elixir-mint hpax allows unauthenticated denial-of-service via unbounded HPACK integer decoding. hpax decodes HPACK variable-length integers with no upper bound on the decoded value or the number of continuation octets...

8.7CVSS6.1AI score0.00438EPSS
Exploits0References4
CVE
CVE
added 4 days ago9 views

CVE-2026-58226

CVE-2026-58226 affects the hpax component of elixir-mint. The vulnerability is in Elixir.HPAX.Types:decode_remaining_integer/3 , which decodes HPACK integers without an upper bound, allowing an unauthenticated attacker to trigger excessive CPU and transient memory via a small HTTP/2 header block....

8.7CVSS6.1AI score0.00438EPSS
Exploits0References4
EUVD
EUVD
added 2026/07/01 5:3 p.m.8 views

EUVD-2026-41095

Allocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache HttpComponents Core 5.4.2 and earlier, 5.5-beta1 and earlier allows an remote attacker to cause a denial of service through memory exhaustion by sending oversized compressed header blocks before the HTTP/2...

7.5CVSS5.8AI score0.00587EPSS
Exploits0References1
CVE
CVE
added 2026/07/01 5:3 p.m.73 views

CVE-2026-54428

The CVE concerns Apache HttpComponents Core HPACK decoder: on HTTP/2, the HPACK decoder may allocate resources without limits or throttling, allowing a remote attacker to cause memory exhaustion and denial of service. Affected versions are 5.4.2 and earlier, and 5.5-beta1 and earlier. The issue o...

7.5CVSS5.8AI score0.00587EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/23 12:59 p.m.7 views

JLSEC-2026-624 HTTP/2 client HPACK desynchronization via header blocks for unknown streams in HTTP.jl

Description The HTTP/2 client's processincomingframe! dropped HEADERS/CONTINUATION frames for stream ids absent from conn.streams without passing the header block through the connection's HPACK decoder. Because HPACK's dynamic table is connection-scoped and mutated as a side effect of decoding ea...

5.9AI score
Exploits0References2
RedHat Linux
RedHat Linux
added 2026/06/22 3:13 p.m.6 views

httpd: httpd: HTTP/2 Remote Denial of Service via compression bomb and Slowloris-style attack

A flaw was found in HTTP/2, affecting various web servers. A remote attacker can exploit this vulnerability by combining an HPACK compression bomb with a zero-byte flow-control window. This technique allows a small amount of data to expand into large memory allocations on the server, which are th...

7.5CVSS7.1AI score0.11471EPSS
Exploits8References6
OSV
OSV
added 2026/06/22 1:55 p.m.5 views

USN-8459-1 haproxy vulnerabilities

It was discovered that HAProxy incorrectly handled the FCGI demultiplexer record length field. A remote attacker could possibly use this issue to cause incorrect request routing, response smuggling, or other memory safety issues. CVE-2026-55203 It was discovered that HAProxy failed to validate th...

9.1CVSS5.9AI score0.00431EPSS
Exploits0References3
OSV
OSV
added 2026/06/22 5:40 a.m.3 views

BIT-ENVOY-2026-47774 Envoy vulnerable to HTTP/2 memory exhaustion via cookie header size bypass and HPACK amplification

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentiall...

7.5CVSS6AI score0.00815EPSS
Exploits1References11
Tenable Nessus
Tenable Nessus
added 2026/06/22 12:0 a.m.5 views

Amazon Linux 2 : ecs-service-connect-agent, --advisory ALAS2ECS-2026-126 (ALASECS-2026-126)

The version of ecs-service-connect-agent installed on the remote host is prior to v1.34.13.2-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2ECS-2026-126 advisory. A denial-of-service vulnerability was found in Envoy's HTTP/2 HPACK header compression implementation. A...

7.5CVSS5.9AI score0.00815EPSS
Exploits1References4
Tenable Nessus
Tenable Nessus
added 2026/06/22 12:0 a.m.9 views

Amazon Linux 2023 : ecs-service-connect-agent (ALAS2023-2026-1893)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1893 advisory. A denial-of-service vulnerability was found in Envoy's HTTP/2 HPACK header compression implementation. A remote attacker could send a specially crafted HTTP/2 request that triggers disproportionately...

7.5CVSS6.1AI score0.00815EPSS
Exploits1References4
CVE
CVE
added 2026/06/17 4:58 p.m.139 views

CVE-2026-47774

CVE-2026-47774 affects Envoy prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1. A vulnerability in HTTP/2 downstream request processing combines two issues: (1) cookie header bytes are not fully accounted for during request header size validation, and (2) HPACK header limits are enforced on e...

7.5CVSS5.8AI score0.00815EPSS
Exploits1References10Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/17 4:58 p.m.8 views

CVE-2026-47774 Envoy vulnerable to HTTP/2 memory exhaustion via cookie header size bypass and HPACK amplification

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentiall...

7.5CVSS5.8AI score0.00815EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/15 2:36 p.m.7 views

CVE-2026-12043

A flaw was found in the AWS Common Runtime aws-c-http library. A remote attacker, by operating a malicious server, could send a crafted sequence of HTTP/2 HEADERS frames that improperly handle HPACK dynamic table size updates. This could lead to memory corruption on a connecting client applicatio...

8.8CVSS5.7AI score0.00351EPSS
Exploits0References2
Packet Storm
Packet Storm
added 2026/06/12 12:0 a.m.75 views

📄 HTTP/2 Multi-Server HPACK Exhaustion

This code implements a multi-target HTTP/2 resource exhaustion framework designed to stress or overwhelm server implementations through protocol-level amplification techniques. It includes server-specific payload generation for multiple platforms, automated connection orchestration, stream scalin...

5.4AI score
Exploits0
EUVD
EUVD
added 2026/06/06 9:14 a.m.12 views

EUVD-2026-34964

Protocol::HTTP2 versions through 1.12 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory the "HTTP/2 bomb". The headersdecode method materialises a full key+value copy per index...

5.7AI score0.00414EPSS
Exploits0References3
CVE
CVE
added 2026/06/06 9:14 a.m.71 views

CVE-2026-10725

Protocol::HTTP2 for Perl (versions up to 1.12) is vulnerable to an HTTP/2 Bomb. The inbound HPACK path lacks a header-list size limit; headers_decode materialises a full key+value copy per indexed reference with no running size check, and stream_header_block_add appends every CONTINUATION frame u...

7.5CVSS5.7AI score0.00414EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2026/06/05 3:48 p.m.10 views

OESA-2026-2568 wireshark security update

Wireshark allows you to examine protocol data stored in files or as it is captured from wired or wireless WiFi or Bluetooth networks, USB devices, and many other sources. It supports dozens of protocol capture file formats and understands more than a thousand protocols. Security Fixes: ROHC...

5.5CVSS5.4AI score0.00092EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/04 5:43 p.m.50 views

CVE-2026-40898 quic-go: HTTP/3 QPACK Trailer Expansion Memory Exhaustion

quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field...

5.3CVSS0.00279EPSS
Exploits0References2
Rows per page
Query Builder