Unity Linux 20.1050a / 20.1060a / 20.1070a Security Update: git-lfs (UTSA-2026-021307)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-021307 advisory. The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is us...

Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net

...

CVE-2026-33814 Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGSMAXFRAMESIZE with a value of 0...

GO-2026-4918 Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGSMAXFRAMESIZE with a value of 0...

RHCOS 4 : OpenShift Container Platform 4.12.78 (RHSA-2025:10271)

The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2025:10271 advisory. - net/http: Request smuggling due to acceptance of invalid chunked data in net/http CVE-2025-22871 Note that Nessus has not tested for this...

RHCOS 4 : OpenShift Container Platform 4.17.35 (RHSA-2025:10295)

The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:10295 advisory. - podman: podman missing TLS verification CVE-2025-6032 - net/http: Request smuggling due to acceptance of invalid chunked data in...

RHCOS 4 : OpenShift Container Platform 4.15.55 (RHSA-2025:11352)

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2025:11352 advisory. - net/http: Request smuggling due to acceptance of invalid chunked data in net/http CVE-2025-22871 Note that Nessus has not tested for this...

RHCOS 4 : OpenShift Container Platform 4.16.45 (RHSA-2025:11682)

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2025:11682 advisory. - net/http: Request smuggling due to acceptance of invalid chunked data in net/http CVE-2025-22871 Note that Nessus has not tested for this...

Astra Linux - уязвимость в golang-1.15

In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy from net/http/httputil result in a situation where an attacker is able to drop arbitrary headers...

Unity Linux 20.1060a / 20.1070a Security Update: grafana (UTSA-2026-007098)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007098 advisory. The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is us...

Medium: amazon-cloudwatch-agent

Issue Overview: net/http: memory exhaustion in Request.ParseForm CVE-2025-61726 archive/zip: denial of service when parsing arbitrary ZIP archives CVE-2025-61728 crypto/tls: handshake messages may be processed at the incorrect encryption level CVE-2025-61730 crypto/tls: Config.Clone copies...

Security Bulletin: IBM Maximo Application Suite uses net/http 1.23.4,1.24.2,1.24.3,crypto/x509 1.24.2,1.24.3 which is vulnerable to CVE-2025-4673, CVE-2025-22874.

Summary IBM Maximo Application Suite uses net/http 1.23.4,1.24.2,1.24.3, crypto/x509 1.24.2,1.24.3 which is vulnerable to CVE-2025-4673,CVE-2025-22874. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-4673 DESCRIPTION:...

Medium: containerd

Issue Overview: net/http: memory exhaustion in Request.ParseForm CVE-2025-61726 archive/zip: denial of service when parsing arbitrary ZIP archives CVE-2025-61728 crypto/tls: handshake messages may be processed at the incorrect encryption level CVE-2025-61730 crypto/tls: Config.Clone copies...

Advisory ROSA-SA-2026-3146

Software: grafana 9.2.10 OS: ROSA Virtualization 3.1 unaffected versions = grafana-9.2.10-27.rv31 affected versions grafana-9.2.10-27.rv31 CVE-ID: CVE-2025-22871 BDU-ID: 2025-04014 CVE-Crit: CRITICAL CVE-DESC.: A vulnerability in the net/http package of the Go programming language is related to...

Updated golang packages fix security vulnerabilities

net/http: memory exhaustion in Request.ParseForm. CVE-2025-61726 archive/zip: denial of service when parsing arbitrary ZIP archives. CVE-2025-61728 crypto/tls: handshake messages may be processed at the incorrect encryption level. CVE-2025-61730 cmd/go: bypass of flag sanitization can lead to...

Amazon Linux 2023 : golist (ALAS2023-2026-1382)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1382 advisory. net/http: memory exhaustion in Request.ParseForm CVE-2025-61726 archive/zip: denial of service when parsing arbitrary ZIP archives CVE-2025-61728 crypto/tls: handshake messages may be processe...

Amazon Linux 2023 : nerdctl (ALAS2023-2026-1401)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1401 advisory. net/http: memory exhaustion in Request.ParseForm CVE-2025-61726 archive/zip: denial of service when parsing arbitrary ZIP archives CVE-2025-61728 crypto/tls: handshake messages may be processe...

CLEANSTART-2026-IA37596 net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines

Multiple security vulnerabilities affect the consul-k8s-fips package. The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. See references for individual vulnerability details...

CLEANSTART-2026-OJ41940 net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines

Multiple security vulnerabilities affect the ingress-nginx-controller package. The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. See references for individual vulnerability details...

CLEANSTART-2026-CR41732 net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines

Multiple security vulnerabilities affect the ingress-nginx-controller package. The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. See references for individual vulnerability details...