Browse all 4 CVE security advisories affecting nghttp2. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Nghttp2 serves as an HTTP/2 implementation library, enabling efficient web communication for applications and servers. Historically, it has been susceptible to remote code execution vulnerabilities due to buffer overflows and integer overflows, along with denial-of-service flaws from improper handling of input data. While no major public incidents have been widely documented, the four recorded CVEs highlight potential risks in memory management and parsing logic. Its C codebase and complex protocol implementation contribute to ongoing security challenges, requiring careful integration and regular updates to mitigate risks in environments handling high-volume HTTP/2 traffic.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-27135 | nghttp2 Denial of service: Assertion failure due to the missing state validation — nghttp2CWE-617 | 7.5 | High | 2026-03-18 |
| CVE-2024-28182 | Reading unbounded number of HTTP/2 CONTINUATION frames to cause excessive CPU usage — nghttp2CWE-770 | 5.3 | Medium | 2024-04-04 |
| CVE-2020-11080 | Denial of service in nghttp2 — nghttp2CWE-707 | 3.7 | Low | 2020-06-03 |
| CVE-2016-1544 | Nghttp2 资源管理错误漏洞 — nghttp2 | 6.2 | - | 2020-02-06 |
This page lists every published CVE security advisory associated with nghttp2. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.