[UPDATE] [medium] HTTP/2: Multiple vulnerabilities allow Denial of Service
A remote, anonymous attacker can exploit vulnerabilities in various http/2 implementations to conduct a Denial of Service attack.
CSIRTS triage
- What
- A remote, anonymous attacker can exploit vulnerabilities in various http/2 implementations to conduct a Denial of Service attack.
- Who is affected
- Deployments using HTTP/2 implementations are affected.
- Urgency
- Remediation is medium urgency as the vulnerabilities can lead to Denial of Service but are not currently exploited.
- Action
- Update HTTP/2 implementations to the latest versions.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch HTTP/2
Get an email when a new HTTP/2 advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0789
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Exploitation likely imminentCVE-2023-45288EPSS puts this in the most-targeted tier (92.0% 30-day exploitation probability). Prioritize alongside KEV items. Riskier than 100% of all scored CVEs.
- Exploitation likely imminentCVE-2024-2653EPSS puts this in the most-targeted tier (83.2% 30-day exploitation probability). Prioritize alongside KEV items. Riskier than 100% of all scored CVEs.
- Exploitation likely imminentCVE-2024-27316EPSS puts this in the most-targeted tier (91.3% 30-day exploitation probability). Prioritize alongside KEV items. Riskier than 100% of all scored CVEs.
- Exploitation likely imminentCVE-2024-2758EPSS puts this in the most-targeted tier (72.8% 30-day exploitation probability). Prioritize alongside KEV items. Riskier than 99% of all scored CVEs.
- Exploitation likely imminentCVE-2024-27919EPSS puts this in the most-targeted tier (86.7% 30-day exploitation probability). Prioritize alongside KEV items. Riskier than 100% of all scored CVEs.
- Exploitation likely imminentCVE-2024-28182EPSS puts this in the most-targeted tier (85.0% 30-day exploitation probability). Prioritize alongside KEV items. Riskier than 100% of all scored CVEs.
- Exploitation likely imminentCVE-2024-30255EPSS puts this in the most-targeted tier (87.8% 30-day exploitation probability). Prioritize alongside KEV items. Riskier than 100% of all scored CVEs.
- Exploitation likely imminentCVE-2024-31309EPSS puts this in the most-targeted tier (94.6% 30-day exploitation probability). Prioritize alongside KEV items. Riskier than 100% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2023-45288 | coverage & exploitation status | NVD · CVE.org |
| CVE-2024-2653 | coverage & exploitation status | NVD · CVE.org |
| CVE-2024-27316 | coverage & exploitation status | NVD · CVE.org |
| CVE-2024-2758 | coverage & exploitation status | NVD · CVE.org |
| CVE-2024-27919 | coverage & exploitation status | NVD · CVE.org |
| CVE-2024-28182 | coverage & exploitation status | NVD · CVE.org |
| CVE-2024-30255 | coverage & exploitation status | NVD · CVE.org |
| CVE-2024-31309 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for HTTP/2
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- highCVE-2026-55213: h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit edd7a120bf…nvd · 2026-07-10
- high[UPDATE] [high] HTTP/2 implementations: Vulnerability allows denial of servicecert-bund · 2026-07-09
- highGHSA-659f-rgp5-w4wf: Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding — ch…ghsa · 2026-07-08
- high[UPDATE] [high] http/2 implementations: Vulnerability allows denial of servicecert-bund · 2026-07-06
- criticalCVE-2026-10536: A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stre…nvd · 2026-07-03
- criticalCVE-2026-10536: HTTP/2 stream-dependency tree UAFmsrc · 2026-07-02
More from CERT-Bund (BSI) Security Advisories
- medium[NEW] [medium] DENX U-Boot: Multiple vulnerabilities allow execution of arbitrary code and DoS2026-07-10
- medium[NEW] [medium] Samsung Android: Multiple vulnerabilities2026-07-10
- medium[UPDATE] [medium] Linux Kernel: Multiple vulnerabilities allow denial of service2026-07-10
- medium[UPDATE] [medium] Linux Kernel: Multiple vulnerabilities allow unspecified attack2026-07-10
- medium[UPDATE] [medium] Linux Kernel: Multiple vulnerabilities allow denial of service2026-07-10