Lucene search
K

43 matches found

CVE
CVE
added yesterday4 views

CVE-2026-54428

The CVE concerns Apache HttpComponents Core HPACK decoder: on HTTP/2, the HPACK decoder may allocate resources without limits or throttling, allowing a remote attacker to cause memory exhaustion and denial of service. Affected versions are 5.4.2 and earlier, and 5.5-beta1 and earlier. The issue o...

7.5CVSS5.8AI score
Exploits0References2
Veracode
Veracode
added 2026/06/16 11:59 a.m.9 views

Denial Of Service (DoS)

Netty is vulnerable to Denial of Service DoS. The vulnerability is due to improper handling of HTTP/2 SETTINGSMAXHEADERLISTSIZE values, which allows an attacker to trigger repeated request processing and response-header generation failures, leading to resource exhaustion similar to an HTTP/2 Rapi...

6.9CVSS5.2AI score0.00302EPSS
Exploits0References5Affected Software1
EUVD
EUVD
added 2026/06/15 8:46 p.m.8 views

EUVD-2026-36471

Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature...

6.9CVSS5.2AI score0.00302EPSS
Exploits0References5
OSV
OSV
added 2026/06/15 8:46 p.m.4 views

GHSA-563Q-J3CM-6JXM Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature

Summary Netty HTTP/2 max header size handling produces attack similar to HTTP/2 Rapid Reset. Details There is a setting in the http2 specification called SETTINGSMAXHEADERLISTSIZE. According to the RFC: “This advisory setting informs a peer of the maximum field section size that the sender is...

6.9CVSS5.4AI score0.00302EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/06/15 8:46 p.m.8 views

Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature

Summary Netty HTTP/2 max header size handling produces attack similar to HTTP/2 Rapid Reset. Details There is a setting in the http2 specification called SETTINGSMAXHEADERLISTSIZE. According to the RFC: “This advisory setting informs a peer of the maximum field section size that the sender is...

6.9CVSS5.3AI score0.00302EPSS
Exploits0References6Affected Software1
Cvelist
Cvelist
added 2026/06/12 2:59 p.m.25 views

CVE-2026-50560 Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. There is a setting in the http2 specification called...

6.9CVSS0.00302EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.12 views

PT-2026-48916

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.135.Final Netty versions prior to 4.2.15.Final Description Netty HTTP/2 max header size handling allows for an attack similar to HTTP/2 Rapid Reset. When a client sends the SETTINGS MAX HEADER LIST SIZE setting, the...

6.9CVSS5.2AI score0.00302EPSS
Exploits0References8
RedhatCVE
RedhatCVE
added 2026/06/10 11:45 a.m.11 views

CVE-2026-47774

A denial-of-service vulnerability was found in Envoy's HTTP/2 HPACK header compression implementation. A remote attacker could send a specially crafted HTTP/2 request that triggers disproportionately large memory allocations on the server, leading to resource exhaustion and denial of service...

7.5CVSS5.7AI score0.00708EPSS
Exploits0References3
OSV
OSV
added 2026/06/09 7:58 a.m.7 views

SUSE-SU-2026:2306-1 Security update for perl-Protocol-HTTP2

This update for perl-Protocol-HTTP2 fixes the following issue - CVE-2026-10725: denial of service due to absence of inbound HPACK header-list size limit HTTP/2 Bomb attack bsc1267857...

7.5CVSS5.4AI score0.00414EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2026/06/09 2:27 a.m.11 views

SUSE CVE-2026-10725

Protocol::HTTP2 versions before 1.13 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory the "HTTP/2 bomb". The headersdecode method materialises a full key+value copy per indexe...

7.5CVSS5.7AI score0.00414EPSS
Exploits0References4
NVD
NVD
added 2026/06/06 10:16 a.m.14 views

CVE-2026-10725

Protocol::HTTP2 versions before 1.13 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory the "HTTP/2 bomb". The headersdecode method materialises a full key+value copy per indexe...

7.5CVSS0.00414EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/06/06 9:14 a.m.39 views

CVE-2026-10725 Protocol::HTTP2 versions before 1.13 for Perl is vulnerable to a HTTP/2 Bomb

Protocol::HTTP2 versions before 1.13 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory the "HTTP/2 bomb". The headersdecode method materialises a full key+value copy per indexe...

0.00414EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/06/06 9:14 a.m.9 views

CVE-2026-10725

Protocol::HTTP2 versions through 1.12 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory the "HTTP/2 bomb". The headersdecode method materialises a full key+value copy per index...

5.7AI score0.00414EPSS
Exploits0References4
CVE
CVE
added 2026/06/06 9:14 a.m.67 views

CVE-2026-10725

Protocol::HTTP2 for Perl (versions up to 1.12) is vulnerable to an HTTP/2 Bomb. The inbound HPACK path lacks a header-list size limit; headers_decode materialises a full key+value copy per indexed reference with no running size check, and stream_header_block_add appends every CONTINUATION frame u...

7.5CVSS5.7AI score0.00414EPSS
Exploits0References6Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/06 12:0 a.m.33 views

PT-2026-47148

Name of the Vulnerable Software and Affected Versions Protocol::HTTP2 versions prior to 1.13 Description The software is susceptible to an HTTP/2 Bomb, where a small request can expand into large server memory consumption. This occurs because the inbound HPACK path lacks a header-list size limit...

7.5CVSS5.7AI score0.00414EPSS
Exploits0References26
OSV
OSV
added 2026/04/01 3:14 p.m.5 views

JLSEC-2026-20

Hyperium Hyper before 0.14.19 does not allow for customization of the maxheaderlistsize method in the H2 third-party software, allowing attackers to perform HTTP2 attacks...

7.5CVSS5.9AI score0.01085EPSS
Exploits1References6
Hacker One
Hacker One
added 2026/01/13 11:39 a.m.14 views

curl: Use-After-Free in curl_easy_nextheader when reusing header handle across requests

. The API returns struct curlheader objects that internally reference libcurl-owned linked list nodes. When a new request is performed on the same CURL handle, libcurl frees and rebuilds the internal header list, but previously returned struct curlheader objects remain valid to the application an...

7.8AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/01/09 10:46 a.m.6 views

CVE-2022-31394

Hyperium Hyper before 0.14.19 does not allow for customization of the maxheaderlistsize method in the H2 third-party software, allowing attackers to perform HTTP2 attacks...

7.5CVSS6.8AI score0.01085EPSS
Exploits1References1
IBM Security Bulletins
IBM Security Bulletins
added 2025/12/04 8:41 a.m.6 views

Security Bulletin: Jetty HTTP/2 Unvalidated SETTINGS_MAX_HEADER_LIST_SIZE Leads to Out-of-Memory DoS , affects watsonx.data

Summary In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGSMAXHEADERLISTSIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified...

7.5CVSS6.8AI score0.00625EPSS
Exploits0Affected Software1
Tenable Nessus
Tenable Nessus
added 2025/12/02 12:0 a.m.4 views

Linux Distros Unpatched Vulnerability : CVE-2025-1948

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGSMAXHEADERLISTSIZ...

7.5CVSS7.1AI score0.00625EPSS
Exploits0References2
Rows per page
Query Builder