nghttp2 CVE Vulnerabilities & Metrics

Focus on nghttp2 vulnerabilities and metrics.

Last updated: 29 Mar 2026, 22:25 UTC

About nghttp2 Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with nghttp2. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total nghttp2 CVEs: 8
Earliest CVE date: 12 Jan 2016, 19:59 UTC
Latest CVE date: 18 Mar 2026, 18:16 UTC

Latest CVE reference: CVE-2026-27135

Rolling Stats

30-day Count (Rolling): 1
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0.0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical nghttp2 CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 2.76

Max CVSS: 10.0

Critical CVEs (≥9): 1

CVSS Range vs. Count

Range	Count
0.0-3.9	5
4.0-6.9	2
7.0-8.9	0
9.0-10.0	1

CVSS Distribution Chart

Top 5 Highest CVSS nghttp2 CVEs

These are the five CVEs with the highest CVSS scores for nghttp2, sorted by severity first and recency.

CVE-2015-8659 nghttp2 Published on 12 Jan 2016, 19:59 UTC (CVSS: 10.0)
The idle stream handling in nghttp2 before 1.6.0 allows attackers to have unspecified impact via unknown vectors, aka a heap-use-after-free bug.
CVE-2020-11080 nghttp2 Published on 03 Jun 2020, 23:15 UTC (CVSS: 5.0)
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vu...
CVE-2018-1000168 nghttp2 Published on 08 May 2018, 15:29 UTC (CVSS: 5.0)
nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1.
CVE-2016-1544 nghttp2 Published on 06 Feb 2020, 15:15 UTC (CVSS: 2.1)
nghttp2 before 1.7.1 allows remote attackers to cause a denial of service (memory exhaustion).
CVE-2026-27135 nghttp2 Published on 18 Mar 2026, 18:16 UTC (CVSS: 0)
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection...

All CVEs for nghttp2

CVE-2026-27135 nghttp2 vulnerability CVSS: 0 18 Mar 2026, 18:16 UTC

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.

CVE-2024-28182 nghttp2 vulnerability CVSS: 0 04 Apr 2024, 15:15 UTC

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.

CVE-2023-44487 nghttp2 vulnerability CVSS: 0 10 Oct 2023, 14:15 UTC

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVE-2023-35945 nghttp2 vulnerability CVSS: 0 13 Jul 2023, 21:15 UTC

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the `GOAWAY` frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return [code path] is taken if connection is already marked for not sending more requests due to `GOAWAY` frame. The clean-up code is right after the return statement, causing memory leak. Denial of service through memory exhaustion. This vulnerability was patched in versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.

CVE-2020-11080 nghttp2 vulnerability CVSS: 5.0 03 Jun 2020, 23:15 UTC

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.

CVE-2016-1544 nghttp2 vulnerability CVSS: 2.1 06 Feb 2020, 15:15 UTC

nghttp2 before 1.7.1 allows remote attackers to cause a denial of service (memory exhaustion).

CVE-2018-1000168 nghttp2 vulnerability CVSS: 5.0 08 May 2018, 15:29 UTC

nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1.

CVE-2015-8659 nghttp2 vulnerability CVSS: 10.0 12 Jan 2016, 19:59 UTC

The idle stream handling in nghttp2 before 1.6.0 allows attackers to have unspecified impact via unknown vectors, aka a heap-use-after-free bug.