SecAlerts
CVE ListPricingSign Up
nghttp2 logo

nghttp2

Security Risk Profile

42
/100
medium

Security Risk Score

Comprehensive risk assessment based on 13 vulnerabilities, EPSS scores, exploitation status, and remediation availability.

📅 Data spans from January 12, 2016 to present

13
Total CVEs
8
Critical+High
1
Exploited
1
Unpatched

Threat Assessment

Avg CVSS
7.1
Base severity
Avg EPSS
0%
Exploit probability
Unpatched
1
Critical/High
Risk Level
42/100
medium
⚠️ 1 Active Exploits 1 Zero-Days

Severity Distribution

Critical
1
High
7
Medium
1
Low
1

Exploit Likelihood

>50% chance
0
20-50%
0
5-20%
0
<5%
0

Age Distribution

Common Weaknesses (CWE)

1
Buffer Overflow
2
2
Input Validation
1
3
Null Pointer Dereference
1
4
Use After Free
1

Most Affected Products

1. Apache Tomcat15
2. Nodejs Node.js12
3. nghttp2 nghttp211
4. Microsoft Windows 1011
5. Fedoraproject Fedora9

Recent Vulnerabilities

See more →
CVE-2026-40170
CVSS 7.5high

ngtcp2 has a qlog transport parameter serialization stack buffer overflow

4/16/2026
https://seclists.org/oss-sec/2026/q1/357
unknown

nghttp2 Denial of service: Assertion failudue to the missing state validation

3/20/2026🔧 No Patch
REDHAT-BUG-2448754
CVSS 7.0high
3/18/2026🔧 No Patch
CVE-2026-27135
CVSS 7.5high

nghttp2 Denial of service: Assertion failure due to the missing state validation

3/18/2026
https://www.bleepingcomputer.com/news/security/new-http-2-dos-attack-can-crash-web-servers-with-a-single-connection/
unknown

New HTTP/2 DoS attack can crash web servers with a single connection

4/4/2024🔧 No Patch
CVE-2024-28182
CVSS 5.3medium

Reading unbounded number of HTTP/2 CONTINUATION frames to cause excessive CPU usage

3/8/2024
https://seclists.org/oss-sec/2023/q4/75
unknown

CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

10/10/2023🔧 No Patch
CVE-2023-44487
CVSS 7.5high

- Rapid Reset HTTP/2 vulnerability

10/9/2023⚠ Exploited⚡ Zero-Day
CVE-2023-35945
CVSS 7.5high

Envoy vulnerable to HTTP/2 memory leak in nghttp2 codec

6/27/2023
CVE-2020-11080
CVSS 7.5high

Denial of service in nghttp2

6/2/2020

Monitor nghttp2 in Real-Time

Get instant alerts when new vulnerabilities are discovered. Stay ahead of security threats with SecAlerts.

Start Free TrialBook a Demo
Powered bySecAlerts

Monitor Your Software Stack in Real-Time

Get instant alerts when vulnerabilities are discovered in your software stack. Stay ahead of security threats with SecAlerts.

Start Free TrialBook a Demo
AboutNewsDocumentationTermsContact

© 2026 SecAlerts Pty Ltd. All rights reserved.