Astra Linux – Vulnerability in Apache2

The Apache HTTP Server protocol handler for the HTTP/2 protocol checks the received request headers against the size limitations configured for the server. These restrictions are also applied to the HTTP/1 protocol. If any violations occur, an HTTP response is sent to the client with a status cod...

Astra Linux – Vulnerability in golang-golang-x-net

In Go, net/http versions before 1.16.12 and 1.17.x, as well as before 1.17.5, allowed uncontrolled memory consumption in the header canonicalization cache through HTTP/2 requests...

Astra Linux – Vulnerability in Tomcat9

There is a vulnerability in Apache Tomcat related to uncontrolled resource consumption, especially when an HTTP/2 client does not acknowledge the initial settings frame that reduces the maximum number of concurrent streams allowed. This issue affects Apache Tomcat versions as follows: from...

Authorization Bypass

google.golang.org/grpc is vulnerable to authorization bypass. The vulnerability is due to improper validation of the HTTP/2 :path pseudo-header, which allows an attacker to send malformed requests without a leading slash and bypass path-based authorization policies when fallback "allow" rules are...

CVE-2026-42788

Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated memory exhaustion via oversized HTTP/2 frames. 'Elixir.Bandit.HTTP2.Frame':deserialize/2 in lib/bandit/http2/frame.ex checks the SETTINGSMAXFRAMESIZE limit only after pattern-matching...

CVE-2026-32688

Allocation of Resources Without Limits or Throttling vulnerability in elixir-plug plugcowboy allows unauthenticated remote denial of service via atom table exhaustion. Plug.Cowboy.Conn.conn/1 in lib/plug/cowboy/conn.ex calls String.toatom/1 on the value returned by :cowboyreq.scheme/1. For HTTP/2...

Important: Red Hat Security Advisory: rhc security update

An update for rhc is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the C...

SUSE-SU-2026:21370-1 Security update for ignition

This update for ignition fixes the following issue: - CVE-2026-33186: Fixed an authorization bypass due to improper validation of the HTTP/2: path pseudo-header bsc1260251...

Security update for nodejs22

This update for nodejs22 fixes the following issues: Update to version 22.22.2. CVE-2026-21717: trivially predictable hash collisions due to flaw in V8's string hashing mechanism allows for performance degradation via a crafted request bsc1260494. CVE-2026-21716: incomplete fix for CVE-2024-36137...

RHEL 10 : nghttp2 (RHSA-2026:8868)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2026:8868 advisory. libnghttp2 is a library implementing the Hypertext Transfer Protocol version 2 HTTP/2 protocol in C. Security Fixes: nghttp2: nghttp2: Denial of...

OESA-2026-1954 nodejs security update

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

OESA-2026-1953 nodejs security update

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

OESA-2026-1952 nodejs security update

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

OESA-2026-1951 nodejs security update

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

Security update for terraform-provider-local, terraform-provider-random, terraform-provider-tls

This update for terraform-provider-local, terraform-provider-random, terraform-provider-tls fixes the following issue: CVE-2026-25934: github.com/go-git/go-git/v5: improper verification of data integrity values for .pack and .idx files can lead to the consumption of corrupted files bsc1258097...

SUSE-SU-2026:1395-1 Security update for azure-storage-azcopy

This update for azure-storage-azcopy fixes the following issues: - CVE-2026-33186: Authorization bypass in grpc-go due to improper validation of the HTTP/2 :path pseudo-header bsc1260307...

AlmaLinux 9 : nghttp2 (ALSA-2026:7668)

The remote AlmaLinux 9 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2026:7668 advisory. nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination CVE-2026-27135 Tenable has extracted the preceding description block...

SUSE SLES15 Security Update : nodejs20 (SUSE-SU-2026:1371-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1371-1 advisory. Update to version 20.20.2. - CVE-2026-21717: trivially predictable hash collisions due to flaw in V8's string hashing mechanism...

RHEL 9 : nghttp2 (RHSA-2026:8545)

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2026:8545 advisory. libnghttp2 is a library implementing the Hypertext Transfer Protocol version 2 HTTP/2 protocol in C. Security Fixes: nghttp2: nghttp2: Denial of...

RHEL 9 : rhc (RHSA-2026:8322)

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:8322 advisory. rhc is a client tool and daemon that connects the system to Red Hat hosted services enabling system and subscription management. Security...