EUVD-2026-37718

NGINX Plus and NGINX Open Source have a vulnerability in the ngxhttpproxyv2module and ngxhttpgrpcmodule modules. This vulnerability exists when the proxyhttpversion to 2 or grpcpass directives are used to proxy HTTP/2 traffic, the ignoreinvalidheaders directive is set to off, and the...

SUSE SLES15 Security Update : tomcat11 (SUSE-SU-2026:2374-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2374-1 advisory. This update for tomcat11 fixes the following issues Update to Tomcat 11.0.22: - CVE-2026-41284: Unbounded read in WebDAV LOCK and...

CVE-2026-47244 Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAXVALUE, and Http2Settings never inserts...

Linux Distros Unpatched Vulnerability : CVE-2026-50560

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max...

openSUSE 16 Security Update : elemental-toolkit (openSUSE-SU-2026:20921-1)

The remote openSUSE 16 host has a package installed that is affected by a vulnerability as referenced in the openSUSE- SU-2026:20921-1 advisory. This update for elemental-toolkit fixes the following issue - CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of...

PT-2026-48688

Name of the Vulnerable Software and Affected Versions netty-codec-http2 versions prior to 4.1.135.Final netty-codec-http2 versions prior to 4.2.15.Final Description The DelegatingDecompressorFrameListener class manages HTTP/2 decompression by using a per-stream EmbeddedChannel to run decompressio...

ALSA-2026:25225 Important: mod_http2 security update

The modh2 Apache httpd module implements the HTTP2 protocol h2+h2c on top of libnghttp2 for httpd 2.4 servers. Security Fixes: httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack CVE-2026-49975 For more details about the security issues, including the impact, a...

CVE-2026-49160

Uncontrolled resource consumption in HTTP/2 allows an unauthorized attacker to deny service over a network...

SUSE-SU-2026:2348-1 Security update for google-cloud-sap-agent

This update for google-cloud-sap-agent fixes the following issue - CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGSMAXFRAMESIZE bsc1265764. Changes for google-cloud-sap-agent: - Update to version 3.14 bsc1265991...

CVE-2026-47774

A denial-of-service vulnerability was found in Envoy's HTTP/2 HPACK header compression implementation. A remote attacker could send a specially crafted HTTP/2 request that triggers disproportionately large memory allocations on the server, leading to resource exhaustion and denial of service...

curl: Incomplete Suppression of Transfer-Encoding: chunked Header in HTTP/2 After Redirect From HTTP/1.1

When curl send a request with Transfer-Encoding: chunked using HTTP/1.1, and follows a redirect to an HTTP/2 endpoint, the uploadchunky flag is not properly reset. As a result, the Transfer-Encoding: chunked header is sent in the subsequent request even when HTTP/2 is negotiated/used. This violat...

ALSA-2026:25057 Important: mod_http2 security update

The modh2 Apache httpd module implements the HTTP2 protocol h2+h2c on top of libnghttp2 for httpd 2.4 servers. Security Fixes: httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack CVE-2026-49975 For more details about the security issues, including the impact, a...

USN-8398-2 nginx regression

USN-8398-1 fixed a vulnerability in nginx. The update introduced a regression causing nginx to crash when being used with external modules. This update reverts the fix for CVE-2026-49975 pending further investigation. We apologize for the inconvenience. Original advisory details: It was discovere...

SUSE-SU-2026:2314-1 Security update for libsoup

This update for libsoup fixes the following issues - CVE-2026-1801: HTTP Request Smuggling in soupfilterinputstreamreadline bsc1257649. - CVE-2026-4271: use-after-free in the HTTP/2 server when user signal handlers disconnect connections during callback execution bsc1259767...

Allocation of Resources Without Limits or Throttling

Overview io.netty:netty-codec-http2 is a HTTP2 sub package for the netty library, an event-driven asynchronous network application framework. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of enforcement of the advertised...

[SECURITY] [DLA 4620-1] apache2 security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-4620-1 [email protected] https://www.debian.org/lts/security/ Bastien Roucariès June 07, 2026 https://wiki.debian.org/LTS -...

CVE-2026-49975

A flaw was found in HTTP/2, affecting various web servers. A remote attacker can exploit this vulnerability by combining an HPACK compression bomb with a zero-byte flow-control window. This technique allows a small amount of data to expand into large memory allocations on the server, which are th...

SUSE-SU-2026:2280-1 Security update for ignition

This update for ignition fixes the following issue - CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGSMAXFRAMESIZE bsc1265751...

Suricata < 7.0.16 / 8.x < 8.0.5 Multiple Vulnerabilities

The version of OISF Suricata installed on the remote host is prior to 7.0.16 or 8.x prior to 8.0.5. It is, therefore, affected by multiple vulnerabilities, including: - A protocol change while processing HTTP/2 traffic could lead to type confusion in Suricata. Crafted traffic may cause Suricata t...

SUSE CVE-2026-50052

In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack request smuggling, which in turn can be used for cache poisoning, authentication bypass, or possibly even information disclosure and...