nghttp2

Top products

The 9 most recently published vulnerabilities affecting nghttp2.

• CVE-2026-40170ngtcp2 has a qlog transport parameter serialization stack buffer overflow7.5Apr 16, 2026
• CVE-2026-27135nghttp2 Denial of service: Assertion failure due to the missing state validation7.5Mar 18, 2026
• CVE-2024-28182Reading unbounded number of HTTP/2 CONTINUATION frames to cause excessive CPU usage5.3Apr 4, 2024
• CVE-2023-44487The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.KEV7.5Oct 10, 2023
• CVE-2023-35945Envoy vulnerable to HTTP/2 memory leak in nghttp2 codec7.5Jul 13, 2023
• CVE-2020-11080Denial of service in nghttp23.7Jun 3, 2020
• CVE-2016-1544nghttp2 before 1.7.1 allows remote attackers to cause a denial of service (memory exhaustion).3.3Feb 6, 2020
• CVE-2018-1000168nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of servi...7.5May 8, 2018
• CVE-2015-8659The idle stream handling in nghttp2 before 1.6.0 allows attackers to have unspecified impact via unknown vectors, aka a heap-use-after-free bug.10.0Jan 12, 2016