CVE-2026-39806

Loop with Unreachable Exit Condition 'Infinite Loop' vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':doreadchunkeddata!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\r\n is...

CVE-2026-39803

CVE-2026-39803 – Bandit (Elixir) memory exhaustion via chunked HTTP/1 bodies. The issue occurs in the chunked path of Elixir.Bandit.HTTP1.Socket.read_data/2 where the caller-supplied length is ignored; every received chunk is buffered into an iolist and the entire body is materialized as a single...

UBUNTU-CVE-2026-22263

Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, inefficiency in http1 headers parsing can lead to slowdown over multiple packets. Version 8.0.3 patches the issue. No known workarounds are available...

CVE-2026-22263 Suricata http1: quadratic complexity in headers parsing over multiple packets

Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, inefficiency in http1 headers parsing can lead to slowdown over multiple packets. Version 8.0.3 patches the issue. No known workarounds are available...

CVE-2026-22263

Suricata (network IDS/IPS/NSM) is affected by CVE-2026-22263 due to inefficiency in HTTP/1 header parsing that can cause slowdown over multiple packets. Affected versions are 8.0.0 up to, but not including, 8.0.3; the issue is fixed in 8.0.3. No workarounds are stated in the provided documents. T...

CVE-2026-22263

Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, inefficiency in http1 headers parsing can lead to slowdown over multiple packets. Version 8.0.3 patches the issue. No known workarounds are available...

CVE-2026-22263

Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, inefficiency in http1 headers parsing can lead to slowdown over multiple packets. Version 8.0.3 patches the issue. No known workarounds are available...

CVE-2026-22263 Suricata http1: quadratic complexity in headers parsing over multiple packets

Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, inefficiency in http1 headers parsing can lead to slowdown over multiple packets. Version 8.0.3 patches the issue. No known workarounds are available...

CVE-2026-22260

CVE-2026-22260 affects Suricata

CVE-2026-22260 Suricata http1: infinite recursion in decompression

Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, Suricata can crash with a stack overflow. Version 8.0.3 patches the issue. As a workaround, use default values for request-body-limit and response-body-limit...

Suricata security vulnerabilities

Suricata is a network IDS, IPS, and NSM engine developed by the Open Information Security Foundation. Versions of Suricata prior to 8.0.0 and 8.0.3 contained security vulnerabilities. These vulnerabilities were due to inefficient parsing of http1 headers, which could lead to performance degradati...

CVE-2025-47905

Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow client-side desync via HTTP/1 requests, because the product incorrectly permits CRLF to be skipped to delimit chunk boundaries...

Important: ecs-service-connect-agent

Issue Overview: Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions sendOverloadError is going to assume the active request exists when envoy.loadshedpoints.http1serverabortdispatch is configured. If activerequest is nullptr, only onMessageBeginImpl is called...

CVE-2024-53270 HTTP/1: sending overload crashes when the request is reset beforehand in envoy

Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions sendOverloadError is going to assume the active request exists when envoy.loadshedpoints.http1serverabortdispatch is configured. If activerequest is nullptr, only onMessageBeginImpl is called. However, the...

Moderate Photon OS Security Update - PHSA-2024-4.0-0713

Updates of 'rubygem-protocol-http1' packages of Photon OS have been released...

Moderate Photon OS Security Update - PHSA-2024-5.0-0405

Updates of 'rubygem-protocol-http1', 'linux-esx', 'linux' packages of Photon OS have been released...

PT-2024-9687 · Envoy · Envoy

Name of the Vulnerable Software and Affected Versions: Envoy versions prior to 1.29.12 Envoy versions prior to 1.30.9 Envoy versions prior to 1.31.5 Envoy versions prior to 1.32.3 Description: The issue is related to the envoy.load shed points.http1 server abort dispatch configuration in Envoy, a...

CVE-2023-44386 Incorrect request error handling triggers server crash in Vapor

Vapor is an HTTP web framework for Swift. There is a denial of service vulnerability impacting all users of affected versions of Vapor. The HTTP1 error handler closed connections when HTTP parse errors occur instead of passing them on. The issue is fixed as of Vapor release 4.84.2...

CBL Mariner 2.0 Security Update: rubygem-protocol-http1 (CVE-2023-38697)

The version of rubygem-protocol-http1 installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-38697 advisory. - protocol-http1 provides a low-level implementation of the HTTP/1 protocol. RFC 9112 Section...

CVE-2023-38697 affecting package rubygem-protocol-http1 for versions less than 0.15.1-1

CVE-2023-38697 affecting package rubygem-protocol-http1 for versions less than 0.15.1-1. An upgraded version of the package is available that resolves this issue...