Skip to main content

HTTP/2 Servers CVE-2026-59173

CRITICAL
2026-07-16
Share

Severity by source

vuln.today AI
7.5 HIGH

Network-reachable, no authentication or user interaction needed, pure availability impact via memory exhaustion, no confidentiality or integrity effects.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 20:23 vuln.today
CVE Published
Jul 16, 2026 - 19:27 oss-security
CRITICAL

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Memory exhaustion denial-of-service affects HTTP/2 server implementations that fail to cap buffered response data under stalled flow-control conditions. A remote unauthenticated attacker opens many simultaneous HTTP/2 streams while advertising SETTINGS_INITIAL_WINDOW_SIZE = 0 or withholding WINDOW_UPDATE frames, forcing the server to accumulate unbounded in-memory response buffers it cannot transmit. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Establish HTTP/2 connection to target server
Delivery
Send SETTINGS frame with SETTINGS_INITIAL_WINDOW_SIZE = 0
Exploit
Open maximum concurrent streams, request large resources
Install
Withhold WINDOW_UPDATE frames to freeze all outbound windows
C2
Server buffers complete response bodies in heap memory per stream
Execute
Repeat across multiple connections to amplify memory exhaustion
Impact
Target OOM-killed or worker pool exhausted, denying service to legitimate clients

Vulnerability AssessmentAI

Exploitation The vulnerability is exploitable against any HTTP/2 server implementation that does not enforce an upper bound on per-stream or per-connection response buffer memory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate-to-high for any organization running an affected HTTP/2 server implementation exposed to the internet. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a standard internet connection sends a SETTINGS frame advertising SETTINGS_INITIAL_WINDOW_SIZE = 0 immediately after the HTTP/2 connection preface, then opens the server's maximum allowed number of concurrent streams and requests multiple large static resources (e.g., video files, large downloads). The server generates and buffers complete response bodies for every stream but cannot transmit a single byte, causing heap memory to grow proportional to (number of streams × average resource size). …
Remediation The primary remediation is to apply vendor-supplied patches for the specific HTTP/2 server implementation in use; consult the CERT VU#885548 vendor table at https://kb.cert.org/vuls/id/885548 for individual CVE assignments and fix versions, and the F5-specific advisory at https://my.f5.com/manage/s/article/K000162231 for F5 products. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all HTTP/2 server implementations in production (web servers, load balancers, API gateways) and assess which systems accept external untrusted traffic. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2015-4495 HIGH POC
8.8 Aug 08

The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote

CVE-2013-1690 HIGH POC
8.8 Jun 26

Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before

CVE-2013-0758 CRITICAL POC
9.3 Jan 13

Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb

CVE-2013-0753 CRITICAL POC
9.3 Jan 13

Use-after-free vulnerability in the serializeToStream implementation in the XMLSerializer component in Mozilla Firefox b

CVE-2012-3993 CRITICAL POC
9.3 Oct 10

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi

CVE-2013-1710 CRITICAL POC
10.0 Aug 07

The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird befo

CVE-2017-3823 HIGH POC
8.8 Feb 01

An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta

CVE-2014-8636 HIGH POC
7.5 Jan 14

The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with

CVE-2013-0757 CRITICAL POC
9.3 Jan 13

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi

CVE-2014-1510 CRITICAL POC
9.8 Mar 19

The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se

CVE-2014-1511 CRITICAL POC
9.8 Mar 19

Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allow remo

CVE-2013-0643 HIGH
8.8 Feb 27

The Firefox sandbox in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and b

Share

CVE-2026-59173 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy