nghttp2 Vulnerability Allows Denial of Service

CERT-Bund Security Advisories

Published March 17th, 2026

Detected March 18th, 2026

Summary

CERT-Bund has issued a security advisory regarding a vulnerability in nghttp2 versions prior to 1.68.1. The vulnerability allows remote attackers to perform a Denial of Service attack. The advisory provides mitigation information and affected systems.

View original document View source feed page

What changed

CERT-Bund has released security advisory WID-SEC-2026-0775 detailing a critical vulnerability (CVSS Base Score 7.5) in the nghttp2 implementation of HTTP/2 and HPACK. Versions prior to 1.68.1 are affected. A remote, anonymous attacker can exploit this flaw to cause a Denial of Service (DoS) on affected systems, which include Linux, UNIX, and Windows operating systems.

Organizations utilizing nghttp2 versions prior to 1.68.1 should immediately review their systems and apply available mitigations or update to a patched version. Failure to address this vulnerability could lead to service disruptions and potential system unavailability. While no specific compliance deadline is mentioned, prompt action is recommended to prevent DoS attacks.

What to do next

Update nghttp2 to version 1.68.1 or later
Implement available mitigation strategies if immediate update is not possible

Source document (simplified)

[WID-SEC-2026-0775] nghttp2: Schwachstelle ermöglicht Denial of Service CVSS Base Score 7.5 (hoch) CVSS Temporal Score 6.5 (mittel) Remoteangriff ja Datum 17.03.2026 Stand 18.03.2026 Mitigation ja

Betroffene Systeme

Betriebssystem

Linux
Sonstiges
UNIX
Windows

Produktbeschreibung

nghttp2 ist eine Implementierung von HTTP/2 und dessen Header-Kompressionsalgorithmus HPACK in C.

Produkte

17.03.2026
- Open Source nghttp2 <1.68.1

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in nghttp2 ausnutzen, um einen Denial of Service Angriff durchzuführen. CVE Informationen Versionshistorie Feedback zum Advisory geben