Http2

CVE-2026-41227 describes a vulnerability in an F5 Networks product where undisclosed traffic on an HTTP/2 virtual server with Layer 7 DoS Protection enabled can lead to increased memory consumption and termination of the Traffic Management Microkernel (TMM) process.

A vulnerability in Apache HTTP Server's HTTP/2 protocol can lead to denial of service by crashing worker processes, and in specific configurations (APR with mmap), remote code execution.

An unauthenticated remote denial-of-service vulnerability in Plug.Cowboy allows attackers to exhaust the BEAM atom table via HTTP/2 requests, crashing the Erlang VM.

A denial of service vulnerability, CVE-2026-31935, exists in Suricata versions prior to 7.0.15 and 8.0.4, where flooding the system with crafted HTTP2 continuation frames leads to memory exhaustion and process termination.

A denial of service vulnerability exists in Netty's HTTP/2 server implementation where an unauthenticated user can exhaust server CPU resources by sending a flood of CONTINUATION frames with zero-byte payloads, bypassing size-based mitigations and leading to service unavailability with minimal bandwidth usage; affected versions include netty-codec-http2 < 4.1.132.Final and netty-codec-http2 versions >= 4.2.0.Alpha1 and < 4.2.10.Final.