Astra Linux - уязвимость в apache2

HTTP/2 incoming headers that exceed the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client continues to send headers, this can lead to memory exhaustion...

Astra Linux - уязвимость в nodejs

A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggering an unhandled TLSSocket error ECONNRESET. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not...

MGASA-2026-0139 Updated tomcat packages fix security vulnerability

Unbounded read in WebDAV LOCK and PROPFIND handling. CVE-2026-41284 HTTP/2 request headers not validated. CVE-2026-41293 WebSocket authentication header exposure. CVE-2026-42498 Digest authenticator will authenticate any unknown user. CVE-2026-43512 LockOutRealm treats user names as case-sensitiv...

Updated tomcat packages fix security vulnerability

Unbounded read in WebDAV LOCK and PROPFIND handling. CVE-2026-41284 HTTP/2 request headers not validated. CVE-2026-41293 WebSocket authentication header exposure. CVE-2026-42498 Digest authenticator will authenticate any unknown user. CVE-2026-43512 LockOutRealm treats user names as case-sensitiv...

GHSA-R29C-68GH-XP6X Apache Tomcat - HTTP/2 request headers not validated

Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.21 Apache Tomcat 10.1.0-M1 to 10.1.54 Apache Tomcat 9.0.0.M1 to 9.0.117 Older, unsupported versions may also be affected Description: HTTP/2 request headers were not validated which may have triggered unexpected application behaviour if the...

CVE-2026-41293 Apache Tomcat: HTTP/2 request headers not validated

Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of support versions may also be affected. Users are recommended to...

Denial Of Service (DoS)

Node.js is vulnerable to Denial of Service DoS. The vulnerability is due to improper handling of malformed HTTP/2 HEADERS frames containing invalid HPACK data, which can trigger an unhandled TLSSocket ECONNRESET error and cause the Node.js process to crash, enabling remote denial of service...

PT-2026-3360

Name of the Vulnerable Software and Affected Versions Node.js versions affected versions not specified Description A flaw in Node.js TLS error handling can allow remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback are in use. Synchronous exceptions thro...

SUSE CVE-2024-24568

Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.3, the rules inspecting HTTP2 headers can get bypassed by crafted traffic. The vulnerability has been patched in 7.0.3...

Security update for ignition

This update for ignition fixes the following issues: CVE-2023-45288: Fixed unclosed connections when receiving too many headers in golang.org/x/net/http2 bsc1236518 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper...

CLSA-2024-1728932179 httpd: Fix of CVE-2024-27316

CVE-2024-27316: Limit buffering of HTTP/2 incoming headers to prevent memory exhaustion...

tomcat: Improper Handling of Exceptional Conditions

A vulnerability was found in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This issue led to a miscounting of active HTTP/2 streams, which in turn led to using an incorrect infinite timeout that allowed connections to remain...

Medium: oci-add-hooks

Issue Overview: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed...

GHSA-WM9W-RJJ3-J356 Apache Tomcat - Denial of Service

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of...

Medium: cni-plugins

Issue Overview: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed...

Medium: golang

Issue Overview: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed...

Tomcat: HTTP/2 header handling DoS

A vulnerability was found in the Tomcat package due to its handling of HTTP/2 requests. Specifically, when an HTTP/2 request surpasses the predetermined limits for headers configured within the server, the associated HTTP/2 stream isn't reset immediately. Instead, the reset action occurs only aft...

AZL-38314 CVE-2023-45288 affecting package blobfuse2 for versions less than 2.3.0-1

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...

AZL-39244 CVE-2023-45288 affecting package kubevirt for versions less than 0.59.0-16

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...

AZL-38683 CVE-2023-45288 affecting package gh for versions less than 2.62.0-1

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...