Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net

...

Exploit for Double Free in Apache Http_Server

CVE-2026-23918 "Apache HTTP/2 Double-Free" — Detection & Respo...

Apache mod_http2 Double-Free Detector

This is a python script that assist with detecting whether or not a server is vulnerable to the Apache modhttp2 double-free vulnerability...

CVE-2026-33814

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGSMAXFRAMESIZE with a value of 0...

Infinite loop

Overview std/net/http is a Go standard library package std/net/http Affected versions of this package are vulnerable to Infinite loop. Go Vulnerability Report: When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a...

Exploit for Double Free in Apache Http_Server

CVE-2026-23918 Apache modhttp2 Double-Free Detector ht...

ai.agentican:agentican-framework-core (>=0.1.0-alpha.2 <=0.1.0-alpha.4), ai.agentican:agentican-quarkus-deployment (>=0.1.0-alpha.1 <=0.1.0-alpha.4) +19828 more potentially affected by CVE-2026-42587 via io.netty:netty-codec-http2 (>=4.1.0.Beta4 <=4.1.132.Final)

io.netty:netty-codec-http2 MAVEN version =4.1.0.Beta4, =0.1.0-alpha.2, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.3, =0.1.0-alpha.2, =0.1.0, =0.1.0, =0.2.0, =0.2.0, =0.28.0 and more Source cves:...

ai.new-wave:spring-agent-app (>=0.1.0 <=0.3.0), ai.new-wave:spring-agent-core (>=0.1.0 <=0.3.0) +2561 more potentially affected by CVE-2026-42587 via io.netty:netty-codec-http2 (>=4.2.0.Alpha1 <=4.2.12.Final)

io.netty:netty-codec-http2 MAVEN version =4.2.0.Alpha1, =0.1.0, =0.1.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.2 and more Source cves: CVE-2026-42587 Source advisory: SNYK:JAVA-IONETTY-16438929...

ai.new-wave:spring-agent-app (>=0.1.0 <=0.3.0), ai.new-wave:spring-agent-core (>=0.1.0 <=0.3.0) +2561 more potentially affected by CVE-2026-42587 via io.netty:netty-codec-http2 (>=4.2.0.Alpha1 <=4.2.12.Final)

io.netty:netty-codec-http2 MAVEN version =4.2.0.Alpha1, =0.1.0, =0.1.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.2 and more Source cves: CVE-2026-42587 Source advisory: OSV:GHSA-F6HV-JMP6-3VWV...

ai.agentican:agentican-framework-core (>=0.1.0-alpha.2 <=0.1.0-alpha.4), ai.agentican:agentican-quarkus-deployment (>=0.1.0-alpha.1 <=0.1.0-alpha.4) +19828 more potentially affected by CVE-2026-42587 via io.netty:netty-codec-http2 (>=4.1.0.Beta4 <=4.1.132.Final)

io.netty:netty-codec-http2 MAVEN version =4.1.0.Beta4, =0.1.0-alpha.2, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.3, =0.1.0-alpha.2, =0.1.0, =0.1.0, =0.2.0, =0.2.0, =0.28.0 and more Source cves:...

CLSA-2026-1778107205 Fix CVE(s): CVE-2026-23918

SECURITY UPDATE: double free / possible RCE in modhttp2 stream purge - debian/patches/CVE-2026-23918.patch: deduplicate inserts into the spurge array in modules/http2/h2mplx.c via a new addforpurge helper to prevent the same h2stream from being freed twice. - CVE-2026-23918...

USN-8233-2: nghttp2 vulnerability

USN-8233-1 fixed a vulnerability in nghttp2. This update provides the corresponding update for Ubuntu 26.04 LTS. Original advisory details: Andrew MacPherson discovered that nghttp2 did not properly validate internal state when the session termination API was called. A remote attacker could...

CLSA-2026-1778070287 mod_http2: Fix of CVE-2026-23918

CVE-2026-23918: fix double free via double stream purge in modhttp2...

PT-2026-38541

USN-8233-1 fixed a vulnerability in nghttp2. This update provides the corresponding update for Ubuntu 26.04 LTS. Original advisory details: Andrew MacPherson discovered that nghttp2 did not properly validate internal state when the session termination API was called. A remote attacker could...

GHSA-Q8X4-X7MP-5VG2 Plug.Cowboy vulnerable to unauthenticated remote DoS via HTTP/2 `:scheme` atom-table exhaustion

Summary An unauthenticated remote denial-of-service vulnerability in Plug.Cowboy.Conn allows any attacker who can reach an HTTPS Plug.Cowboy listener via HTTP/2 to permanently exhaust the BEAM atom table and crash the entire Erlang VM. Am I Affected? All users running plugcowboy with HTTP/2 may b...

FreeBSD : www/apache24 -- Multiple vulnerabilities (1ccc383b-486a-11f1-8b62-8447094a420f)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 1ccc383b-486a-11f1-8b62-8447094a420f advisory. The Apache httpd project reports: modproxyajp: CVE-2026-34059, CVE-2026-34032, CVE-2026-33857,...

[slackware-security] httpd

New httpd packages are available for Slackware 15.0 and -current to fix security issues. Here are the details from the Slackware 15.0 ChangeLog: patches/packages/httpd-2.4.67-i586-1slack15.0.txz: Upgraded. This release fixes bugs and the following security issues: modproxyajp: Heap Over-Read and...

CVE-2026-23918 Apache HTTP Server: http2: double free and possible RCE on early reset

Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue...

Astra Linux – Vulnerability in Netty

Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty was vulnerable to MadeYouReset DDoS attacks. This is a logical vulnerability in the HTTP/2 protocol, which exploits malformed HTTP/2 control frames to break the maximum...

Astra Linux – Vulnerability in qtbase-opensource-src

A issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code that makes security-related decisions regarding established connections may execute prematurely, because the encrypted signal has not yet been...