Vulnerabilities > Nghttp2

DATE CVE VULNERABILITY TITLE RISK
2023-10-10 CVE-2023-44487 The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. 7.5
2023-07-13 CVE-2023-35945 Incomplete Cleanup vulnerability in multiple products
Envoy is a cloud-native high-performance edge/middle/service proxy.
network
low complexity
envoyproxy nghttp2 CWE-459
7.5
2020-06-03 CVE-2020-11080 In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. 7.5
2020-02-06 CVE-2016-1544 Resource Exhaustion vulnerability in multiple products
nghttp2 before 1.7.1 allows remote attackers to cause a denial of service (memory exhaustion).
local
low complexity
nghttp2 fedoraproject CWE-400
3.3
2018-05-08 CVE-2018-1000168 NULL Pointer Dereference vulnerability in multiple products
nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service.
network
low complexity
nghttp2 nodejs debian CWE-476
7.5
2016-01-12 CVE-2015-8659 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
The idle stream handling in nghttp2 before 1.6.0 allows attackers to have unspecified impact via unknown vectors, aka a heap-use-after-free bug.
network
low complexity
apple nghttp2 CWE-119
critical
10.0