RHCOS 3 : OpenShift Container Platform 3.9 (RHSA-2019:2769)

The remote Red Hat Enterprise Linux CoreOS 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:2769 advisory. - HTTP/2: flood using PING frames results in unbounded memory growth CVE-2019-9512 - HTTP/2: flood using HEADERS frames results in...

RHCOS 3 : OpenShift Container Platform 3.10 (RHSA-2019:2690)

The remote Red Hat Enterprise Linux CoreOS 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:2690 advisory. - HTTP/2: flood using PING frames results in unbounded memory growth CVE-2019-9512 - HTTP/2: flood using HEADERS frames results in...

SUSE-SU-2026:21490-1 Security update for containerd

This update for containerd fixes the following issue: - CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2 :path pseudo-header bsc1260296...

BIT-APACHE-2026-23918 Apache HTTP Server: http2: double free and possible RCE on early reset

Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue...

SUSE CVE-2026-23918

Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue...

Security Bulletin:Axios HTTP/2 Session Cleanup Logic State Corruption Bug Fixed in 1.13.2

Summary Axios is a promise based HTTP client for the browser and Node.js. Starting in version 1.13.0 and prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The...

RHCOS 3 : OpenShift Container Platform 3.10 haproxy (RHSA-2019:0548)

The remote Red Hat Enterprise Linux CoreOS 3 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2019:0548 advisory. - haproxy: Mishandling of priority flag in short HEADERS frame by HTTP/2 decoder allows for crash CVE-2018-20615 Note that Nessus has not...

RHCOS 4 : OpenShift Container Platform 4.14.2 (RHSA-2023:6839)

The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:6839 advisory. - golang: net/http, x/net/http2: rapid stream resets can cause excessive work CVE-2023-44487 CVE-2023-39325 - HTTP/2: Multiple HTTP/...

Astra Linux - Vulnerability in Golang-1.19

A malicious HTTP/2 client that quickly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is limited by the http2.Server.MaxConcurrentStreams setting, resetting an ongoing request allows the attacker to create a new...

Astra Linux – Vulnerability in Node.js

A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggering an unhandled TLSSocket error ECONNRESET. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not...

Astra Linux – Vulnerability in Tomcat9

There is a vulnerability in Apache Tomcat when using the APR/Native connector, involving concurrent execution with shared resources and improper synchronization known as “race condition”. This issue is particularly noticeable during client-initiated closures of HTTP/2 connections. This issue...

Astra Linux – Vulnerability in golang-golang-x-net

An attacker can cause excessive memory usage in a Go server that accepts HTTP/2 requests. HTTP/2 server connections include a cache of HTTP header keys sent by the client. Although the total number of entries in this cache is limited, an attacker who sends very large keys can cause the server to...

Astra Linux – Vulnerability in Apache2

HTTP/2 incoming headers that exceed the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client continues to send headers, this can lead to memory exhaustion...

Astra Linux – Vulnerability in Node.js

A memory leak could occur when a remote peer abruptly closes the socket without sending a “GOAWAY” notification. Additionally, if an invalid header is detected by nghttp2, causing the connection to be terminated by the peer, the same memory leak will be triggered. This flaw could lead to increase...

Astra Linux – Vulnerability in Netty

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high-performance protocol servers and clients. In Netty io.netty:netty-codec-http2 before version 4.1.61.Final, there is a vulnerability that allows for request smuggling. This...

Astra Linux – Vulnerability in golang-golang-x-net, golang-1.19

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, enough to trigger a denial of service due to a small number of small requests...

Astra Linux – Vulnerabilities in nghttp2, netty, tomcat9, jetty9, grpc

The HTTP/2 protocol allows for a denial of service server resource consumption, as request cancellation can quickly reset many streams, as exploited in practice from August to October 2023...

CVE-2026-42788

The CVE-2026-42788 affects the Elixir Bandit project: Bandit::HTTP2.Frame::deserialize/2 currently buffers an entire HTTP/2 frame before enforcing SETTINGS_MAX_FRAME_SIZE, enabling unauthenticated attackers with many concurrent connections to cause memory pressure and DoS by oversized frames. Aff...

CVE-2026-42788 HTTP/2 frame size limit checked after body is buffered in bandit

Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated memory exhaustion via oversized HTTP/2 frames. 'Elixir.Bandit.HTTP2.Frame':deserialize/2 in lib/bandit/http2/frame.ex checks the SETTINGSMAXFRAMESIZE limit only after pattern-matching...

PT-2026-36544

Name of the Vulnerable Software and Affected Versions bandit versions 0.3.6 through 1.10.x Description An issue in the deserialize/2 function within Elixir.Bandit.HTTP2.Frame allows unauthenticated memory exhaustion through oversized HTTP/2 frames. The system checks the SETTINGS MAX FRAME SIZE...