Lucene search
+L

119 matches found

CVE
CVE
added yesterday6 views

CVE-2026-54340

CVE-2026-54340 affects the h2o HTTP server (HTTP/2) and describes an HTTP/2 state amplification issue where HPACK decompression amplification combines with Slowloris-style stream stalling. Amplified decoded header state can be retained by stalled HTTP/2 streams; depending on configuration, additi...

7.5CVSS6AI score
Exploits0References2
RedhatCVE
RedhatCVE
added yesterday4 views

CVE-2026-55204

A flaw was found in HAProxy. An attacker can trigger HPACK dynamic table insertions under memory pressure, leading to a null pointer dereference in the hpackdhtinsert function. This can cause HAProxy worker processes to crash, resulting in a denial of service DoS. Mitigation Mitigation for this...

8.7CVSS6AI score0.00431EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 4 days ago7 views

CVE-2026-54428

A flaw was found in Apache HttpComponents Core. This vulnerability, located in the HTTP/2 HPACK decoder, allows a remote attacker to cause a denial of service. By sending oversized compressed header blocks, an attacker can exhaust memory resources before the system's configured header list size...

7.5CVSS6.1AI score0.00587EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2026/07/08 5:58 p.m.3 views

httpd: httpd: HTTP/2 Remote Denial of Service via compression bomb and Slowloris-style attack

A flaw was found in HTTP/2, affecting various web servers. A remote attacker can exploit this vulnerability by combining an HPACK compression bomb with a zero-byte flow-control window. This technique allows a small amount of data to expand into large memory allocations on the server, which are th...

7.5CVSS7.1AI score0.11471EPSS
Exploits8References6
RedHat Linux
RedHat Linux
added 2026/07/07 9:48 p.m.9 views

httpd: httpd: HTTP/2 Remote Denial of Service via compression bomb and Slowloris-style attack

A flaw was found in HTTP/2, affecting various web servers. A remote attacker can exploit this vulnerability by combining an HPACK compression bomb with a zero-byte flow-control window. This technique allows a small amount of data to expand into large memory allocations on the server, which are th...

7.5CVSS7.1AI score0.11471EPSS
Exploits8References6
OSV
OSV
added 2026/07/06 9:3 a.m.4 views

EEF-CVE-2026-58226 Unauthenticated denial-of-service via unbounded HPACK integer decoding in hpax

Summary Inefficient Algorithmic Complexity vulnerability in elixir-mint hpax allows unauthenticated denial-of-service via unbounded HPACK integer decoding. hpax decodes HPACK variable-length integers with no upper bound on the decoded value or the number of continuation octets...

8.7CVSS6.1AI score0.00438EPSS
Exploits0References4
CVE
CVE
added 2026/07/06 9:3 a.m.10 views

CVE-2026-58226

CVE-2026-58226 affects the hpax component of elixir-mint. The vulnerability is in Elixir.HPAX.Types:decode_remaining_integer/3 , which decodes HPACK integers without an upper bound, allowing an unauthenticated attacker to trigger excessive CPU and transient memory via a small HTTP/2 header block....

8.7CVSS6.1AI score0.00438EPSS
Exploits0References4
Debian CVE
Debian CVE
added 2026/07/01 5:3 p.m.11 views

CVE-2026-54428

Allocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache HttpComponents Core 5.4.2 and earlier, 5.5-beta1 and earlier allows an remote attacker to cause a denial of service through memory exhaustion by sending oversized compressed header blocks before the HTTP/2...

7.5CVSS5.8AI score0.00587EPSS
Exploits0
EUVD
EUVD
added 2026/07/01 5:3 p.m.8 views

EUVD-2026-41095

Allocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache HttpComponents Core 5.4.2 and earlier, 5.5-beta1 and earlier allows an remote attacker to cause a denial of service through memory exhaustion by sending oversized compressed header blocks before the HTTP/2...

7.5CVSS5.8AI score0.00587EPSS
Exploits0References1
CVE
CVE
added 2026/07/01 5:3 p.m.135 views

CVE-2026-54428

The CVE concerns Apache HttpComponents Core HPACK decoder: on HTTP/2, the HPACK decoder may allocate resources without limits or throttling, allowing a remote attacker to cause memory exhaustion and denial of service. Affected versions are 5.4.2 and earlier, and 5.5-beta1 and earlier. The issue o...

7.5CVSS5.8AI score0.00587EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/23 12:59 p.m.9 views

JLSEC-2026-624 HTTP/2 client HPACK desynchronization via header blocks for unknown streams in HTTP.jl

Description The HTTP/2 client's processincomingframe! dropped HEADERS/CONTINUATION frames for stream ids absent from conn.streams without passing the header block through the connection's HPACK decoder. Because HPACK's dynamic table is connection-scoped and mutated as a side effect of decoding ea...

5.9AI score
Exploits0References2
RedHat Linux
RedHat Linux
added 2026/06/22 3:13 p.m.7 views

httpd: httpd: HTTP/2 Remote Denial of Service via compression bomb and Slowloris-style attack

A flaw was found in HTTP/2, affecting various web servers. A remote attacker can exploit this vulnerability by combining an HPACK compression bomb with a zero-byte flow-control window. This technique allows a small amount of data to expand into large memory allocations on the server, which are th...

7.5CVSS7.1AI score0.11471EPSS
Exploits8References6
OSV
OSV
added 2026/06/22 1:55 p.m.6 views

USN-8459-1 haproxy vulnerabilities

It was discovered that HAProxy incorrectly handled the FCGI demultiplexer record length field. A remote attacker could possibly use this issue to cause incorrect request routing, response smuggling, or other memory safety issues. CVE-2026-55203 It was discovered that HAProxy failed to validate th...

9.1CVSS5.9AI score0.00431EPSS
Exploits0References3
OSV
OSV
added 2026/06/22 5:40 a.m.5 views

BIT-ENVOY-2026-47774 Envoy vulnerable to HTTP/2 memory exhaustion via cookie header size bypass and HPACK amplification

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentiall...

7.5CVSS6AI score0.00815EPSS
Exploits1References11
Tenable Nessus
Tenable Nessus
added 2026/06/22 12:0 a.m.7 views

Amazon Linux 2 : ecs-service-connect-agent, --advisory ALAS2ECS-2026-126 (ALASECS-2026-126)

The version of ecs-service-connect-agent installed on the remote host is prior to v1.34.13.2-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2ECS-2026-126 advisory. A denial-of-service vulnerability was found in Envoy's HTTP/2 HPACK header compression implementation. A...

7.5CVSS6.2AI score0.00815EPSS
Exploits1References4
Tenable Nessus
Tenable Nessus
added 2026/06/22 12:0 a.m.11 views

Amazon Linux 2023 : ecs-service-connect-agent (ALAS2023-2026-1893)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1893 advisory. A denial-of-service vulnerability was found in Envoy's HTTP/2 HPACK header compression implementation. A remote attacker could send a specially crafted HTTP/2 request that triggers disproportionately...

7.5CVSS6.2AI score0.00815EPSS
Exploits1References4
CVE
CVE
added 2026/06/17 4:58 p.m.148 views

CVE-2026-47774

CVE-2026-47774 affects Envoy prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1. A vulnerability in HTTP/2 downstream request processing combines two issues: (1) cookie header bytes are not fully accounted for during request header size validation, and (2) HPACK header limits are enforced on e...

7.5CVSS5.8AI score0.00815EPSS
Exploits1References10Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/17 4:58 p.m.9 views

CVE-2026-47774 Envoy vulnerable to HTTP/2 memory exhaustion via cookie header size bypass and HPACK amplification

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentiall...

7.5CVSS5.8AI score0.00815EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/15 2:36 p.m.9 views

CVE-2026-12043

A flaw was found in the AWS Common Runtime aws-c-http library. A remote attacker, by operating a malicious server, could send a crafted sequence of HTTP/2 HEADERS frames that improperly handle HPACK dynamic table size updates. This could lead to memory corruption on a connecting client applicatio...

8.8CVSS5.7AI score0.00351EPSS
Exploits0References2
Packet Storm
Packet Storm
added 2026/06/12 12:0 a.m.82 views

📄 HTTP/2 Multi-Server HPACK Exhaustion

This code implements a multi-target HTTP/2 resource exhaustion framework designed to stress or overwhelm server implementations through protocol-level amplification techniques. It includes server-specific payload generation for multiple platforms, automated connection orchestration, stream scalin...

5.4AI score
Exploits0
Rows per page
Query Builder