Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HApache Traffic Server
APPApache6.0.0 – 6.2.37.0.0 – 7.1.68.0.0 – 8.0.3Apple Mac Os X
OSApple≥ 10.12Apple Swiftnio
APPApple1.0.0 – 1.4.0Canonical Ubuntu
OSCanonical16.0418.0419.04≥ 14.04Debian
OSDebian10.09.0F5 Big Ip Local Traffic Manager
APPF514.0.0 – 14.0.1.1 (bez)13.1.0 – 13.1.3.2 (bez)11.6.1 – 11.6.5.1 (bez)15.0.0 – 15.0.1.1 (bez)14.1.0 – 14.1.2.1 (bez)12.1.0 – 12.1.5.1 (bez)Fedora Project Fedora
OSFedoraproject2930Mcafee Web Gateway
APPMcafee7.8.2.0 – 7.8.2.13 (bez)8.1.0 – 8.2.0 (bez)7.7.2.0 – 7.7.2.24 (bez)Netapp Cloud Insights
APPNetappwszystkie wersjeNetapp Trident
APPNetappwszystkie wersjeNode.js
APPNodejs12.0.0 – 12.8.1 (bez)10.13.0 – 10.16.3 (bez)10.0.0 – 10.12.08.9.0 – 8.16.1 (bez)8.0.0 – 8.8.1Opensuse Leap
OSOpensuse15.015.1Oracle Graalvm
APPOracle19.2.0Red Hat Developer Tools
APPRedhat1.0Red Hat Enterprise Linux
OSRedhat8.0Red Hat Enterprise Linux Eus
OSRedhat8.1Red Hat Enterprise Linux Server
OSRedhat7.0Red Hat Enterprise Linux Workstation
OSRedhat7.0Red Hat Jboss Core Services
APPRedhat1.0Red Hat Jboss Enterprise Application Platform
APPRedhat7.2.07.3.0Red Hat OpenShift Container Platform
APPRedhat3.103.113.94.14.2Red Hat Openshift Service Mesh
APPRedhat1.0Red Hat Openstack
APPRedhat14Red Hat Quay
APPRedhat3.0.0Red Hat Single Sign On
APPRedhat7.3Red Hat Software Collections
APPRedhat1.0Synology Diskstation Manager
OSSynology6.2Synology Skynas
APPSynologywszystkie wersjeSynology Vs960hd
HWSynologywszystkie wersjeSynology Vs960hd Firmware
OSSynologywszystkie wersje
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
DoS
References
Related vulnerabilities
CVE-2026-24061CRITICAL9.8⚠ KEVPL ✓ten sam produkt
GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER
CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt
Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)
CVE-2025-49113CRITICAL9.9⚠ KEVPL ✓ten sam produkt
RCE przez deserializację PHP w Roundcube Webmail (parametr _from)
CVE-2025-32433CRITICAL10.0⚠ KEVPL ✓ten sam produkt
Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)
CVE-2025-24201CRITICAL10.0⚠ KEVPL ✓ten sam produkt
Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki