Critical nghttp2 Vulnerability Exposes Backend Services to Smuggling Attacks

Critical nghttp2 Vulnerability Exposes Backend Services to Smuggling Attacks

First seen 2 Jul 2026, 18:59 UTC UbuntuLinuxsecurity 88% similarity 70.5
Share:

Article Content

Browse articles
ThreatCluster

A vulnerability in the nghttp2 nghttpx proxy has been identified, affecting multiple Ubuntu versions. The flaw arises from improper handling of HTTP/1.1 Upgrade requests containing a Content-Length header and body. This could allow remote attackers to execute HTTP request and response smuggling attacks against backend services. Affected systems include Ubuntu 26.04 LTS, 25.10, 24.04 LTS, and 22.04 LTS. Users are advised to update their systems to mitigate this risk. The vulnerability is cataloged under USN-8495-1. A standard system update is recommended to apply the necessary patches. The issue highlights the importance of maintaining up-to-date software to prevent exploitation.

Key Points: • The nghttp2 vulnerability allows HTTP request and response smuggling attacks. • Affected systems include Ubuntu 26.04 LTS and earlier versions. • Users are advised to perform a standard system update to mitigate risks.

ThreatCluster AI

Timeline

2026-07-02
nghttp2 vulnerability disclosed
The nghttp2 nghttpx proxy was found to improperly handle HTTP/1.1 Upgrade requests, leading to potential smuggling attacks.
Ubuntu
2026-07-02
Ubuntu security notice USN-8495-1 issued
Ubuntu published a security notice regarding the nghttp2 vulnerability, advising users to update their systems.
Linuxsecurity

Community

Browse all →