-->
#1 Trusted Cybersecurity News Platform
Followed by 5.70+ million
The Hacker News Logo
Get the Latest News
cybersecurity

HTTP/2 | Breaking Cybersecurity News | The Hacker News

Category — HTTP/2
Citrix Patches Six NetScaler Flaws Allowing File Read and Denial-of-Service

Citrix Patches Six NetScaler Flaws Allowing File Read and Denial-of-Service

7月 01, 2026 Vulnerability / Enterprise Security
Citrix on Tuesday released security updates to address multiple flaws in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could be exploited by an attacker to facilitate arbitrary file reads or trigger a denial-of-service (DoS) condition. The vulnerabilities are listed below - CVE-2026-8451 (CVSS score: 8.8) - An insufficient input validation vulnerability leading to memory overread when NetScaler ADC or NetScaler Gateway is configured as a SAML IDP CVE-2026-8452 (CVSS score: 8.8) - A memory overflow vulnerability leading to unpredictable or erroneous behavior and denial-of-service when the appliance is configured as a Gateway or an AAA virtual server CVE-2026-8655 (CVSS score: 8.8) - Multiple memory overflow vulnerabilities leading to unpredictable or erroneous behavior and denial-of-service when NetScaler ADC is configured as an LB of type Oracle, a DNS Proxy, or a DNS recursive resolver deployment CVE-2026-10816 (CVSS sco...
F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution

F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution

6月 18, 2026 Vulnerability / Cloud Security
F5 has released security updates to address two critical security flaws in NGINX Open Source that could be exploited to achieve code execution on affected systems. The vulnerabilities are listed below - CVE-2026-42530 (CVSS v4 score: 9.2) - A use-after-free vulnerability in the ngx_http_v3_module that could be triggered by a remote unauthenticated attacker when NGINX Open Source is configured to use the HTTP/3 QUIC module to reopen a QPACK encoder stream by means of a specially crafted HTTP/3 session, and execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. CVE-2026-42055 (CVSS v4 score: 9.2) - A heap-based buffer overflow vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules that could be triggered by a remote unauthenticated attacker when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the ...
New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare

New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare

6月 03, 2026 Vulnerability / Server Security
Cybersecurity researchers have discovered a remote denial-of-service exploit that affects major web servers, including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. The vulnerability has been codenamed HTTP/2 Bomb by Calif. "The vulnerable behavior exists in each server's default HTTP/2 configuration," the company said, adding it was discovered by OpenAI Codex by chaining together two known techniques: a compression bomb and a Slowloris -style hold. "The bomb targets HPACK, HTTP/2's header compression scheme: one byte on the wire becomes one full header allocation on the server, repeated thousands of times per request," Calif added. "The hold is a zero-byte flow-control window that keeps the server from ever freeing any of it." HPACK is a dedicated header compression algorithm for HTTP/2 used for compressing request and response metadata using Huffman encoding that results in an average reduction of 30% in header siz...
cyber security

The Systems That Power America Are Under Threat. Is Your ICS/OT Program Ready?

websiteSANS InstituteCritical infrastructure / Webinar
Discover where federal ICS programs are most exposed and what closing the skills gap requires in practice.
cyber security

Inside Device Code Phishing: Live Demos, Real Kits, and What's Next

websitePush SecurityPhishing Attack / Webinar
Device code attacks are up 37x this year, with 18+ kits in the wild. Now available on-demand.
New HTTP/2 'MadeYouReset' Vulnerability Enables Large-Scale DoS Attacks

New HTTP/2 'MadeYouReset' Vulnerability Enables Large-Scale DoS Attacks

8月 14, 2025 Server Security / Vulnerability
Multiple HTTP/2 implementations have been found susceptible to a new attack technique called MadeYouReset that could be explored to conduct powerful denial-of-service (DoS) attacks. "MadeYouReset bypasses the typical server-imposed limit of 100 concurrent HTTP/2 requests per TCP connection from a client. This limit is intended to mitigate DoS attacks by restricting the number of simultaneous requests a client can send," researchers Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel said . "With MadeYouReset, an attacker can send many thousands of requests, creating a denial-of-service condition for legitimate users and, in some vendor implementations, escalating into out-of-memory crashes." The vulnerability has been assigned the generic CVE identifier, CVE-2025-8671 (CVSS score: 7.5), although the issue impacts several products, including Apache Tomcat ( CVE-2025-48989 ), F5 BIG-IP ( CVE-2025-54500 ), and Netty ( CVE-2025-55163 ). MadeYouReset is the latest fl...
Expert Insights Articles Videos
Cybersecurity Resources