Http2

vulnerabilities 2026-06-19
Two Critical NGINX Flaws Put HTTP/3 and gRPC Proxying One Bug Away From Unauthenticated RCE
F5 patched CVE-2026-42530 and CVE-2026-42055, two CVSS 9.2 unauthenticated memory-corruption bugs in NGINX's HTTP/3 and HTTP/2 paths. Both reach RCE where ASLR can be bypassed, and both touch NGINX Ingress Controller and Gateway Fabric.
nginx cve-2026-42530 cve-2026-42055 rce http3 http2 grpc f5 kubernetes ingress gateway-fabric
vulnerabilities 2026-06-09
Microsoft's June Patch Tuesday Is Its Biggest Ever: 200 Flaws, 33 Critical, Three Public Zero-Days
Microsoft's largest Patch Tuesday on record fixes 200 vulnerabilities including HTTP.sys and Kerberos KDC RCEs, three Hyper-V escapes, and the HTTP/2 Bomb and YellowKey BitLocker zero-days.
microsoft patch-tuesday zero-day http2 bitlocker hyper-v kerberos active-directory
vulnerabilities 2026-06-03
HTTP/2 Bomb: One Cheap Client Pins 32GB on NGINX, Apache, IIS, Envoy and Cloudflare
A new HPACK-plus-flow-control DoS lets a home broadband connection hold 32GB of server memory in ~20 seconds. Affects the default HTTP/2 config of every major web server and proxy. NGINX and Apache have fixes; IIS, Envoy and Cloudflare Pingora do not yet.
http2 nginx apache envoy cloudflare iis denial-of-service hpack web-server infrastructure
vulnerabilities 2026-05-05
Apache httpd CVE-2026-23918: HTTP/2 Double-Free Puts Millions of Servers at RCE Risk
Critical double-free in mod_http2's early-reset path lets remote attackers crash or take over Apache 2.4.66. Patch shipped May 4 in 2.4.67.
apache httpd http2 cve-2026-23918 rce memory-corruption infrastructure

Http2

Two Critical NGINX Flaws Put HTTP/3 and gRPC Proxying One Bug Away From Unauthenticated RCE

Microsoft's June Patch Tuesday Is Its Biggest Ever: 200 Flaws, 33 Critical, Three Public Zero-Days

HTTP/2 Bomb: One Cheap Client Pins 32GB on NGINX, Apache, IIS, Envoy and Cloudflare

Apache httpd CVE-2026-23918: HTTP/2 Double-Free Puts Millions of Servers at RCE Risk