httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack

A flaw was found in HTTP/2, affecting various web servers. A remote attacker can exploit this vulnerability by combining an HPACK compression bomb with a zero-byte flow-control window. This technique allows a small amount of data to expand into large memory allocations on the server, which are th...

CVE‑2026‑49975 – HTTP/2 Denial of Service Vulnerability

Status: EPMM unaffected Summary: CVE‑2026‑49975 is a denial‑of‑service DoS vulnerability affecting HTTP/2 implementations in several web servers. The issue allows an unauthenticated attacker to exhaust server memory using specially crafted HTTP/2 requests. EPMM / Sentry rely on Apache Tomcat for...

SUSE-SU-2026:2325-1 Security update for kubernetes1.26

This update for kubernetes1.26 fixes the following issues - CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGSMAXFRAMESIZE bsc1265740. - CVE-2026-35469: github.com/moby/spdystream: memory amplification in SPDY frame parsing leads to denial of service...

Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced

Impact DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAXVALUE, and Http2Settings never inserts SETTINGSMAXCONCURRENTSTREAMS by default Http2Settings.java:305-307 only clamps a user-supplied value. Unless the application explicitly calls...

CVE-2026-48913

Use After Free vulnerability in Apache HTTP Server module modhttp2 when file handles are already exhausted. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.67...

CVE-2026-48913

Use After Free vulnerability in Apache HTTP Server module modhttp2 when file handles are already exhausted. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.67...

CVE-2026-43972 gun HTTP/2 PUSH_PROMISE authority not validated against connection origin allows cross-origin cookie injection

Origin Validation Error vulnerability in ninenines gun gunhttp2 module allows cross-origin cookie injection via unvalidated HTTP/2 PUSHPROMISE authority. In gunhttp2:pushpromiseframe/7, the :authority pseudo-header from an incoming PUSHPROMISE frame is stored verbatim into the promised stream...

USN-8398-1: nginx vulnerability

It was discovered that nginx incorrectly handled certain cookie headers in the HTTP/2 implementation. A remote attacker could possibly use this issue to cause nginx to consume excessive resources, resulting in a denial of service...

USN-8398-1 nginx vulnerability

It was discovered that nginx incorrectly handled certain cookie headers in the HTTP/2 implementation. A remote attacker could possibly use this issue to cause nginx to consume excessive resources, resulting in a denial of service...

Apache 2.4.x < 2.4.68 Multiple Vulnerabilities

The version of Apache httpd installed on the remote host is prior to 2.4.68. It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.68 advisory. - CVE-2026-49975, also known as HTTP/2 Bomb, is a remote denial-of-service exploit against most major web servers, including:...

Important: ecs-init

Issue Overview: When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CVE-2026-33811 When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a...

Important: amazon-ssm-agent

Issue Overview: When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGSMAXFRAMESIZE with a value of 0. CVE-2026-33814 Affected Packages: amazon-ssm-agent Issue Correction: Run dnf update amazon-ssm-agent --releasever...

PT-2026-47612

Impact DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX VALUE, and Http2Settings never inserts SETTINGS MAX CONCURRENT STREAMS by default Http2Settings.java:305-307 only clamps a user-supplied value. Unless the application explicitly calls...

PT-2026-47594

It was discovered that nginx incorrectly handled certain cookie headers in the HTTP/2 implementation. A remote attacker could possibly use this issue to cause nginx to consume excessive resources, resulting in a denial of service...

Amazon Linux 2023 : ecs-init (ALAS2023-2026-1771)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1771 advisory. When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CVE-2026-33811 When processing HTTP/2 SETTINGS frames, transport...

Debian dla-4620 : apache2 - security update

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dla-4620 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4620-1 [email protected] https://www.debian.org/lts/security/...

[SECURITY] [DSA 6323-1] apache2 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6323-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso June 06, 2026 https://www.debian.org/security/faq -...

CVE-2026-10725

Protocol::HTTP2 versions through 1.12 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory the "HTTP/2 bomb". The headersdecode method materialises a full key+value copy per index...

CVE-2026-10725

Protocol::HTTP2 for Perl (versions up to 1.12) is vulnerable to an HTTP/2 Bomb. The inbound HPACK path lacks a header-list size limit; headers_decode materialises a full key+value copy per indexed reference with no running size check, and stream_header_block_add appends every CONTINUATION frame u...

CVE-2026-42926

When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxyhttpversion to 2, and also uses proxysetbody, an attacker may be able to inject frame headers and payload bytes to the upstream peer. Note: Software versions which have reached End of Technical Support EoTS are not...