Critical nghttp2 Vulnerability Poses Denial of Service Risk
Severity: High (Score: 70.5)
Sources: Ubuntu
Summary
A vulnerability in nghttp2 was discovered by Andrew MacPherson, which fails to properly validate internal state during session termination. This flaw could allow remote attackers to crash nghttp2, leading to a denial of service. The issue affects Ubuntu 26.04 LTS, and the corresponding patch was released as USN-8233-2 on May 6, 2026, following the initial advisory USN-8233-1 published on May 5, 2026. Users are advised to update their systems to mitigate the risk. The vulnerability does not have a CVE identifier mentioned in the articles, but it is critical for users relying on nghttp2 for their applications. Key Points: • A critical vulnerability in nghttp2 could lead to denial of service attacks. • The flaw was discovered by Andrew MacPherson and affects Ubuntu 26.04 LTS. • Patches were released in USN-8233-2 on May 6, 2026, following USN-8233-1.