4439 matches found
RockyLinux 8 : nginx:1.24 (RLSA-2026:38847)
The remote RockyLinux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2026:38847 advisory. nginx: NGINX: Arbitrary code execution or Denial of Service via heap-based buffer overflow with crafted HTTP/2 headers CVE-2026-42055 Bug Fixes and Enhancements:...
nginx security, bug fix, and enhancement update
An update is available for nginx. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list nginx is a web and proxy server supporting HTTP and other protocols, with a...
nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames
A flaw was found in Node.js. A malicious server can exploit the HTTP/2 client by sending an unlimited number of ORIGIN frames. This can lead to an Out of Memory error on the client, resulting in a denial of service...
Citrix Patches Six NetScaler Flaws Allowing File Read and Denial-of-Service
Citrix on Tuesday released security updates to address multiple flaws in NetScaler ADC formerly Citrix ADC and NetScaler Gateway formerly Citrix Gateway that could be exploited by an attacker to facilitate arbitrary file reads or trigger a denial-of-service DoS condition. The vulnerabilities are...
ALPINE-CVE-2026-48619
A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...
libcurl 7.88.0 < 8.21.0 HTTP/2 Stream-Dependency Tree Use-After-Free
The version of libcurl installed on the remote host is 7.88.0 prior to 8.21.0. It is, therefore, affected by a use-after-free vulnerability: - A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree and subsequently invokes curleasyreset...
CVE-2026-47774 Envoy vulnerable to HTTP/2 memory exhaustion via cookie header size bypass and HPACK amplification
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentiall...
PT-2026-48916
Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.135.Final Netty versions prior to 4.2.15.Final Description Netty HTTP/2 max header size handling allows for an attack similar to HTTP/2 Rapid Reset. When a client sends the SETTINGS MAX HEADER LIST SIZE setting, the...
GHSA-5375-PQ7M-F5R2 @grpc/grpc-js: A malformed request can cause a server crash
Impact An invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @grpc/grpc-js. Patches The following version have fixes for this vulnerability: - 1.9.16 - 1.10.12 - 1.11.4 - 1.12.7 - 1.13.5 - 1.14.4 Workarounds There is no workaround...
USN-8417-1: Tomcat vulnerabilities
It was discovered that Tomcat did not properly limit the size of WebDAV LOCK and PROPFIND request bodies. A remote attacker could use this issue to cause Tomcat to consume excessive memory, resulting in a denial of service. CVE-2026-41284 It was discovered that Tomcat incorrectly validated HTTP/2...
Exploit for CVE-2026-42926
CVE-2026-42926 NGINX HTTP/2 Frame Injection Lab A controlled...
RHEL 10 : mod_http2 (RHSA-2026:22528)
The remote Redhat Enterprise Linux 10 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2026:22528 advisory. The modh2 Apache httpd module implements the HTTP2 protocol h2+h2c on top of libnghttp2 for httpd 2.4 servers. Security Fixes: httpd: Apache HTTP...
Debian dsa-6323 : apache2 - security update
The remote Debian 12 / 13 host has packages installed that are affected by a vulnerability as referenced in the dsa-6323 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6323-1 [email protected] https://www.debian.org/security/...
Security update for ignition
This update for ignition fixes the following issue CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGSMAXFRAMESIZE bsc1265751. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or...
RLSA-2026:22551 Moderate: mod_http2 security update
The modh2 Apache httpd module implements the HTTP2 protocol h2+h2c on top of libnghttp2 for httpd 2.4 servers. Security Fixes: httpd: Apache HTTP Server: HTTP/2 DoS by Memory Increase CVE-2025-53020 For more details about the security issues, including the impact, a CVSS score, acknowledgments, a...
openSUSE 16 Security Update : libsoup (openSUSE-SU-2026:20845-1)
The remote openSUSE 16 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2026:20845-1 advisory. This update for libsoup fixes the following issue - CVE-2026-4271: use-after-free in the HTTP/2 server when user signal handlers disconnect connections...
Security update for libsoup (important)
openSUSE security update: security update for libsoup ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20845-1 Rating: important References: bsc1259767 Cross-References: CVE-2026-4271 CVSS scores: CVE-2026-4271 SUSE : 8.6...
OPENSUSE-SU-2026:20845-1 Security update for libsoup
This update for libsoup fixes the following issue - CVE-2026-4271: use-after-free in the HTTP/2 server when user signal handlers disconnect connections during callback execution bsc1259767...
Amazon Linux 2023 : golang, golang-bin, golang-misc (ALAS2023-2026-1743)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1743 advisory. When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CVE-2026-33811 When processing HTTP/2 SETTINGS frames, transport...
Amazon Linux 2023 : runfinch-finch (ALAS2023-2026-1741)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1741 advisory. When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. CVE-2026-33811 When processing HTTP/2 SETTINGS frames, transport...