RLSA-2026:7302 Important: nodejs:22 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion CVE-2026-25547 minimatch: minimatch: Denial of Service via...

nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination

A flaw was found in nghttp2. Due to missing internal state validation, the library continues to process incoming data even after a session has been terminated. A remote attacker could exploit this by sending a specially crafted HTTP/2 frame, leading to an assertion failure and a denial of service...

nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination

A flaw was found in nghttp2. Due to missing internal state validation, the library continues to process incoming data even after a session has been terminated. A remote attacker could exploit this by sending a specially crafted HTTP/2 frame, leading to an assertion failure and a denial of service...

DEBIAN-CVE-2026-31935

Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, flooding of craft HTTP2 continuation frames can lead to memory exhaustion, usually resulting in the Suricata process being shut down by the operating system. This issue has been patched in versions 7.0.15 and 8.0.4...

CVE-2026-31935

CVE-2026-31935 affects Suricata (IDS/IPS/NSM engine). The issue arises when flooding craft HTTP2 continuation frames leads to memory exhaustion, usually causing the Suricata process to be terminated by the OS. It is fixed in Suricata versions 7.0.15 and 8.0.4. Connected sources confirm the vulner...

CVE-2026-26311

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP connection manager FilterManager that allows for Zombie Stream Filter Execution. This issue creates a "Use-After-Free" UAF or state-corruption window where...

CVE-2026-33186

A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 :path pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed :path that omits the mandato...

SUSE CVE-2026-27141

Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic...

AZL-78629 CVE-2026-27141 affecting package nmi 1.8.17-6

Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic...

AZL-78653 CVE-2026-27141 affecting package azl-otel-collector 0.127.0-1

Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic...

AZL-78680 CVE-2026-27141 affecting package azurelinux-image-tools 1.2.0-1

Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic...

AZL-78656 CVE-2026-27141 affecting package buildah 1.41.4-6

Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic...

AZL-78659 CVE-2026-27141 affecting package cri-o 1.30.1-1

Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic...

CVE-2026-27141 Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net

Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic...

CVE-2026-27141

Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic...

CVE-2026-27141

CVE-2026-27141 involves a panic in responses to certain HTTP/2 frames due to a missing nil check. Concrete details from connected docs show affected packages and versions: ignition-flatcar < 2.22.0-2 and azurelinux-image-tools

PT-2026-22177

Name of the Vulnerable Software and Affected Versions versions prior to 2026-27141 Description A missing nil check allows a server to panic when receiving specific HTTP/2 frames, specifically those ranging from 0x0a to 0x0f. This issue does not have any reported real-world incidents or estimated...

RockyLinux 10 : tomcat9 (RLSA-2025:11332)

The remote RockyLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2025:11332 advisory. tomcat: Incomplete fix for CVE-2024-50379 - RCE due to TOCTOU issue in JSP compilation CVE-2024-56337 tomcat: Apache Tomcat: DoS via malformed HTTP/2...

Denial Of Service (DoS)

Netty is vulnerable to Denial Of Service DoS. The vulnerability is due to improper handling of malformed HTTP/2 control frames due to a flaw in enforcing the max concurrent streams limit, leading to resource exhaustion and denial of service...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via malformed HTTP/2 control frames that manipulate the RSTSTREAM process. An attacker can exhaust server resources and disrupt service availability by rapidly sending specially craft...