24 matches found
mod_http2 security, bug fix, and enhancement update
2.0.29-4.2 - Resolves: RHEL-188008 - address CVE-2026-43951, CVE-2026-48913 2.0.29-4.1 - Resolves: RHEL-182410 - modhttp2: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack CVE-2026-49975 2.0.29-4 - Resolves: RHEL-166269 - httpd: Apache HTTP Server: HTTP/2 DoS by...
RLSA-2026:25225 Important: mod_http2 security update
The modh2 Apache httpd module implements the HTTP2 protocol h2+h2c on top of libnghttp2 for httpd 2.4 servers. Security Fixes: httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack CVE-2026-49975 For more details about the security issues, including the impact, a...
CVE-2026-43972
Origin Validation Error vulnerability in ninenines gun gunhttp2 module allows cross-origin cookie injection via unvalidated HTTP/2 PUSHPROMISE authority. In gunhttp2:pushpromiseframe/7, the :authority pseudo-header from an incoming PUSHPROMISE frame is stored verbatim into the promised stream...
Gun 访问控制错误漏洞
Gun is an open-source Erlang HTTP client developed by Nine Nines that supports HTTP/1.1, HTTP/2, and WebSocket. In versions 2.0.0 to 2.4.0 of Gun, there was a access control vulnerability. This vulnerability stemmed from a source validation error in the gunhttp2 module, which could allow...
PT-2026-47331
Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.55 through 2.4.67 Description A Use After Free issue exists in the mod http2 module of Apache HTTP Server, which occurs when file handles are already exhausted. Use After Free is a memory corruption flaw where a...
mod_http2: Apache HTTP Server: HTTP/2 DoS by Memory Increase
A flaw was found in Apache HTTP Server. This late release of memory after effective lifetime vulnerability allows a remote, unauthenticated attacker to cause a denial of service DoS. The vulnerability can lead to resource exhaustion, making the server unavailable to legitimate users...
ALSA-2026:22528 Moderate: mod_http2 security update
The modh2 Apache httpd module implements the HTTP2 protocol h2+h2c on top of libnghttp2 for httpd 2.4 servers. Security Fixes: httpd: Apache HTTP Server: HTTP/2 DoS by Memory Increase CVE-2025-53020 For more details about the security issues, including the impact, a CVSS score, acknowledgments, a...
Moderate: mod_http2 security update
The modh2 Apache httpd module implements the HTTP2 protocol h2+h2c on top of libnghttp2 for httpd 2.4 servers. Security Fixes: httpd: Apache HTTP Server: HTTP/2 DoS by Memory Increase CVE-2025-53020 For more details about the security issues, including the impact, a CVSS score, acknowledgments, a...
Exploit for Double Free in Apache Http_Server
CVE-2026-23918 Double-free in Apache httpd modhttp2 stream c...
CLSA-2026-1778107205 Fix CVE(s): CVE-2026-23918
SECURITY UPDATE: double free / possible RCE in modhttp2 stream purge - debian/patches/CVE-2026-23918.patch: deduplicate inserts into the spurge array in modules/http2/h2mplx.c via a new addforpurge helper to prevent the same h2stream from being freed twice. - CVE-2026-23918...
FreeBSD : www/apache24 -- Multiple vulnerabilities (1ccc383b-486a-11f1-8b62-8447094a420f)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 1ccc383b-486a-11f1-8b62-8447094a420f advisory. The Apache httpd project reports: modproxyajp: CVE-2026-34059, CVE-2026-34032, CVE-2026-33857,...
MiracleLinux 4 : httpd24-httpd-2.4.25-9.AXS4 (AXSA:2017-1637:01)
The remote MiracleLinux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2017-1637:01 advisory. The Apache HTTP Server is a powerful, efficient, and extensible web server. Security issues fixed with this release: CVE-2016-0736 RESERVED This...
MiracleLinux 8 : httpd:2.4 (AXSA:2025-10834:01)
The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2025-10834:01 advisory. httpd: insufficient escaping of user-supplied data in modssl CVE-2024-47252 httpd: modssl: access control bypass by trusted clients is possible usi...
RLSA-2025:14625 Moderate: mod_http2 security update
The modh2 Apache httpd module implements the HTTP2 protocol h2+h2c on top of libnghttp2 for httpd 2.4 servers. Security Fixes: httpd: modproxyhttp2: untrusted input from a client causes an assertion to fail in the Apache modproxyhttp2 module CVE-2025-49630 For more details about the security...
mod_http2 security update
An update is available for modhttp2. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list The modh2 Apache httpd module implements the HTTP2 protocol h2+h2c on top o...
Apache HTTP Server: mod_proxy_http2 denial of service
...
USN-6729-1 apache2 vulnerabilities
Orange Tsai discovered that the Apache HTTP Server incorrectly handled validating certain input. A remote attacker could possibly use this issue to perform HTTP request splitting attacks. CVE-2023-38709 Keran Mu and Jianjun Chen discovered that the Apache HTTP Server incorrectly handled validatin...
PT-2021-5821 · Node.Js +7 · Node.Js +7
Name of the Vulnerable Software and Affected Versions: Node.js versions prior to 12.22.4 Node.js versions prior to 14.17.4 Node.js versions prior to 16.6.0 Description: The issue is related to a use after free attack in Node.js, where an attacker might exploit memory corruption to change process...
httpd: mod_http2 concurrent pool usage
A flaw was found in Apache httpd in versions 2.4.20 to 2.4.43. Logging using the wrong pool by modhttp2 at debug/trace log level may lead to potential crashes and denial of service. The highest threat from this vulnerability is to system availability...
httpd: memory corruption on early pushes
A vulnerability was found in Apache httpd, in modhttp2. Under certain circumstances, HTTP/2 early pushes could lead to memory corruption, causing a server to crash...