Lucene search
K
Nghttp2Nghttp2

9 matches found

CVE
CVE
added 2023/10/10 12:0 a.m.5305 views

CVE-2023-44487

CVE-2023-44487 – HTTP/2 Rapid Reset DoS Root cause: HTTP/2 stream resets can cause servers to continue processing, leading to unbounded resource consumption and potential DoS when clients rapidly cancel streams. What’s affected: Various HTTP/2 implementations and deployments, including servers, p...

7.5CVSS8AI score0.99999EPSS
In wild
CVE
CVE
added 2020/06/03 12:0 a.m.851 views

CVE-2020-11080

In nghttp2, CVE-2020-11080 is a denial-of-service vulnerability caused by an overly large HTTP/2 SETTINGS frame payload in versions before 1.41.0. A PoC repeatedly sends a 14,400-byte SETTINGS frame (2400 settings entries), spiking CPU. The issue is mitigated by upgrading to nghttp2 1.41.0 or lat...

7.5CVSS6.5AI score0.05316EPSS
CVE
CVE
added 2024/04/04 2:41 p.m.505 views

CVE-2024-28182

CVE-2024-28182 affects nghttp2

5.3CVSS6AI score0.8496EPSS
CVE
CVE
added 2023/07/13 8:41 p.m.274 views

CVE-2023-35945

CVE-2023-35945 affects Envoy’s HTTP/2 codec. The root cause is in nghttp2 cleanup: after RST_STREAM and subsequent GOAWAY, cleanup of pending requests skips deallocation, leaking header/bookkeeping structures and causing memory exhaustion (DoS). Patched in these versions: 1.26.3, 1.25.8, 1.24.9, ...

7.5CVSS7.4AI score0.01106EPSS
CVE
CVE
added 2018/05/08 3:0 p.m.197 views

CVE-2018-1000168

CVE-2018-1000168 affects nghttp2 versions 1.10.0 through 1.31.0, where an improper input validation in ALTSVC frame handling can cause a segmentation fault and denial of service. The vulnerability is exploitable via network clients. Public advisories confirm the issue is fixed in nghttp2 >= 1....

7.5CVSS6.4AI score0.10782EPSS
CVE
CVE
added 2026/03/18 5:59 p.m.144 views

CVE-2026-27135

CVE-2026-27135 affects the nghttp2 library (C). Before version 1.68.1, when applications call the public APIs nghttp2_session_terminate_session or nghttp2_session_terminate_session2, the library fails to validate internal state and continues reading the incoming data. This can cause a malformed f...

7.5CVSS5.8AI score0.00775EPSS
CVE
CVE
added 2016/01/12 7:0 p.m.118 views

CVE-2015-8659

CVE-2015-8659 describes a heap-use-after-free in nghttp2’s idle stream handling, affecting nghttp2 versions prior to 1.6.0. Public documents associate this family of issue with nghttp2 prior to 1.6.0 potentially enabling remote code execution (as cited by Apple’s tvOS/iOS security notes and Gento...

10CVSS7.2AI score0.04073EPSS
CVE
CVE
added 2026/06/28 1:32 a.m.109 views

CVE-2026-58055

nghttp2 nghttpx (up to version 1.69.0) is affected. The proxy forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body to reusable keep-alive backend connections, re-adding Upgrade and Connection headers while passing Content-Length verbatim. This creates an ambiguo...

6.3CVSS5.8AI score0.00202EPSS
CVE
CVE
added 2020/02/06 2:20 p.m.93 views

CVE-2016-1544

CVE-2016-1544 affects nghttp2 up to version 1.7.0, where remote attackers could exhaust memory by sending unlimited incoming HTTP header fields, causing Denial of Service. Connected documents confirm the root cause as unbounded header field processing and show remediation through upgrading to ngh...

3.3CVSS4AI score0.00886EPSS