Infrastructure

vulnerabilities 2026-06-03
HTTP/2 Bomb: One Cheap Client Pins 32GB on NGINX, Apache, IIS, Envoy and Cloudflare
A new HPACK-plus-flow-control DoS lets a home broadband connection hold 32GB of server memory in ~20 seconds. Affects the default HTTP/2 config of every major web server and proxy. NGINX and Apache have fixes; IIS, Envoy and Cloudflare Pingora do not yet.
http2 nginx apache envoy cloudflare iis denial-of-service hpack web-server infrastructure
vulnerabilities 2026-05-05
Apache httpd CVE-2026-23918: HTTP/2 Double-Free Puts Millions of Servers at RCE Risk
Critical double-free in mod_http2's early-reset path lets remote attackers crash or take over Apache 2.4.66. Patch shipped May 4 in 2.4.67.
apache httpd http2 cve-2026-23918 rce memory-corruption infrastructure
vulnerability 2026-04-28
CrowdStrike LogScale CVE-2026-40050: Unauthenticated Path Traversal Reads Arbitrary Server Files
A critical 9.8 CVSS path traversal in CrowdStrike's LogScale lets unauthenticated attackers read arbitrary files from self-hosted clusters. Patch to 1.235.1, 1.234.1, 1.233.1, or 1.228.2 LTS.
crowdstrike logscale cve-2026-40050 path-traversal siem infrastructure

HTTP/2 Bomb: One Cheap Client Pins 32GB on NGINX, Apache, IIS, Envoy and Cloudflare