Security Bulletin: Cargo in IBM Open SDK for Rust on AIX uses a vulnerable version of libnghttp2-sys (CVE-2025-7207, CVE-2025-12875)

Summary The cargo package manager in IBM Open SDK for Rust on AIX 1.90.0.0 and 1.90.0.0 uses the libnghttp2-sys-0.1.11+1.64.0 crate, which wraps a vulnerable version 1.64 of the nghttp2 library. Vulnerability Details CVEID:CVE-2025-12875 DESCRIPTION: A weakness has been identified in mruby 3.4.0...

CLSA-2026-1778129164 nghttp2: Fix of 2 CVEs

CVE-2023-35945: fix memory leak on RSTSTREAM followed by GOAWAY - CVE-2026-27135: fix iframe state validation to prevent assertion failure...

RHSA-2026:8547 Red Hat Security Advisory: nghttp2 security update

Bulletin has no description...

RHSA-2026:8538 Red Hat Security Advisory: nghttp2 security update

Bulletin has no description...

Important: Red Hat Security Advisory: nghttp2 security update

An update for nghttp2 is now available for Red Hat Enterprise Linux 9.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for...

RHEL 9 : nghttp2 (RHSA-2026:8548)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2026:8548 advisory. libnghttp2 is a library implementing the Hypertext Transfer Protocol version 2 HTTP/2 protocol in C. Security Fixes: nghttp2: nghttp2: Denial of...

RLSA-2026:7668 Important: nghttp2 security update

libnghttp2 is a library implementing the Hypertext Transfer Protocol version 2 HTTP/2 protocol in C. Security Fixes: nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination CVE-2026-27135 For more details about the security issues, including the impact, a CVSS...

Important: Red Hat Security Advisory: nghttp2 security update

An update for nghttp2 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from t...

curl: Integer Overflow/Signedness Mismatch in Printf Precision for HTTP/2 Trailer Headers

BUG IN https://raw.githubusercontent.com/curl/curl/07a9b89fedaec60bdbc254f23f66149b31d2f8da/lib/http2.c c ifstream-bodystarted / This is a trailer / H2BUGFinfofdatas, "h2 trailer: %.s: %.s", namelen, name, valuelen, value; result = Curldynaddf&stream-trailerrecvbuf, "%.s: %.s\r\n", namelen, name,...

nodejs:24 security update

An update is available for nodejs, module.nodejs-packaging, nodejs-packaging, module.nodejs, nodejs-nodemon, module.nodejs-nodemon. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability...

SUSE SLES12 Security Update : nghttp2 (SUSE-SU-2026:1056-1)

The remote SUSE Linux SLES12 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2026:1056-1 advisory. - CVE-2026-27135: Assertion failure due to missing state validation can lead to DoS bsc1259845. Tenable has extracted the preceding description block...

JLSEC-2026-5 nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API nghttp2sessionterminatesession or nghttp2sessionterminatesession2 is called by the application. They might be...

Reachable Assertion

Overview Affected versions of this package are vulnerable to Reachable Assertion due to missing internal state validation after the nghttp2sessionterminatesession or nghttp2sessionterminatesession2 APIs are called. An attacker can cause the application to terminate unexpectedly by sending a...

MiracleLinux 9 : nghttp2-1.43.0-5.el9.1 (AXSA:2023-6518:02)

The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2023-6518:02 advisory. HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack Rapid Reset Attack CVE-2023-44487 Tenable has extracted the preceding description...

MiracleLinux 7 : httpd24-httpd-2.4.34-8.el7.1, httpd24-nghttp2-1.7.1-7.el7.1 (AXSA:2019-4337:01)

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2019-4337:01 advisory. HTTP/2: large amount of data requests leads to denial of service CVE-2019-9511 HTTP/2: flood using PRIORITY frames resulting in excessive resource...

[SECURITY] Fedora 41 Update: mod_http2-2.0.35-1.fc41

The modh2 Apache httpd module implements the HTTP2 protocol h2+h2c on top of libnghttp2 for httpd 2.4 servers...

[SECURITY] Fedora 42 Update: mod_http2-2.0.35-1.fc42

The modh2 Apache httpd module implements the HTTP2 protocol h2+h2c on top of libnghttp2 for httpd 2.4 servers...

FreeBSD : dnsdist -- Denial of service via crafted DoH exchange (c2253bff-9952-11f0-b6e2-6805ca2fa271)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the c2253bff-9952-11f0-b6e2-6805ca2fa271 advisory. [email protected] reports: In some circumstances, when DNSdist is configured to use the nghttp2...

SUSE CVE-2025-30187

In some circumstances, when DNSdist is configured to use the nghttp2 library to process incoming DNS over HTTPS queries, an attacker might be able to cause a denial of service by crafting a DoH exchange that triggers an unbounded I/O read loop, causing an unexpected consumption of CPU resources...

CVE-2025-30187

A flaw was found in DNSdist. When DNSdist is configured to use the nghttp2 library to process incoming DNS over HTTPS queries, a specially crafted DoH DNS-over-HTTPS exchange can cause an unbound I/O read loop and result in an unexpected consumption of CPU resources...