search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Denial-of-service vulnerability in HTTP/2 servers via stalled flow-control conditions

Vulnerability Note VU#885548

Original Release Date: 2026-07-16 | Last Revised: 2026-07-16

Overview

A denial-of-service (DoS) vulnerability exists in some HTTP/2 server implementations that fail to adequately limit resource consumption when buffering response data under stalled flow-control conditions. A remote, unauthenticated attacker can trigger memory exhaustion and service interruption by using standard flow-control parameters such as SETTINGS_INITIAL_WINDOW_SIZE = 0 to stall outbound data for multiple simultaneous request streams.

Description

HTTP/2 is a widely used application-layer protocol that supports multiplexing, header compression, and flow-control mechanisms to regulate the transmission of data between web browsers and servers. Flow control is designed to prevent senders from overwhelming receivers and relies on client-advertised window sizes to determine the maximum volume of unacknowledged data that can be in transit at any given time.

A client can intentionally stall outbound flow control by withholding WINDOW_UPDATE frames or by advertising SETTINGS_INITIAL_WINDOW_SIZE = 0. In some HTTP/2 implementations, the server continues processing requests and generating complete response bodies even though it is unable to transmit them. The resulting response data remains buffered in memory, and each stalled stream retains its allocated buffer until the connection closes or a timeout occurs.

An attacker can exploit this behavior by opening many simultaneous streams and requesting large resources, causing the server to accumulate large amounts of buffered response data. In environments with permissive resource limits, this can lead to excessive memory consumption, swap exhaustion, service instability, and, in severe cases, system crashes. Even under more conservative limits, the attack can exhaust worker or connection resources and degrade service availability.

Impact

A remote, unauthenticated attacker can cause denial-of-service conditions on affected HTTP/2 server implementations. Under high resource limits, an attacker may be able to induce unbounded memory amplification resulting in OOM kills, severe swap thrashing, or full system unresponsiveness. Under default or lower limits, the attack can exhaust available connections or worker resources, temporarily preventing new clients from establishing sessions and degrading overall service availability.

Solution

Several vendors have addressed this vulnerability in recent updates; see the Vendor Information section for individual CVEs and remediation details. Implementations that enforce memory ceilings, restrict concurrent stream counts, and actively terminate stalled connections can substantially reduce the risk of denial-of-service conditions.

Acknowledgements

Thanks to the Okta Red Team for researching and reporting this vulnerability. This document was written by Molly Jaconski.

Vendor Information

885548
 

Apache Traffic Server Project Affected

Notified:  2026-05-05 Updated: 2026-07-16

Statement Date:   July 02, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Affected

Vendor Statement

We have not received a statement from the vendor.

CERT Addendum

CVE-2026-59173

Citrix Affected

Notified:  2026-05-05 Updated: 2026-07-16

Statement Date:   July 15, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Affected

Vendor Statement

The vulnerability impacts NetScaler ADC and NetScaler Gateway when HTTP/2 is enabled in the HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler.

Customers are recommended to install the relevant updated versions as soon as possible -
* NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases
* NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1
* NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS
* NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP

After the upgrade, configure the Http2SmallWndTimeout parameter, which controls the timeout (in seconds) for HTTP/2 small‑window stalled streams.
* For appliances using HTTP Strict Profiles, this parameter defaults to 30 seconds, and the fix is effective immediately after the upgrade. If you are already using HTTP Strict Profiles then you do not need to take any additional action. Only upgrade to the fixed builds will remediate the vulnerability.
* For appliances NOT using HTTP Strict Profiles, the default value is 0, and in that case, merely upgrading to the builds containing the fix WILL NOT address the vulnerability completely. In this case, customers must manually set Http2SmallWndTimeout to 30 seconds.

Please note that Http2SmallWndTimeout is a new parameter and is only available in the firmware builds that contain the fix.

Configuration command:
set ns httpProfile <profile_name> -http2SmallWndTimeout <value_in_seconds>

F5 Networks Affected

Notified:  2026-05-05 Updated: 2026-07-16

Statement Date:   July 15, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Affected

Vendor Statement

We have not received a statement from the vendor.

References

Meta Affected

Notified:  2026-05-05 Updated: 2026-07-16

Statement Date:   May 21, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Affected

Vendor Statement

We have not received a statement from the vendor.

CERT Addendum

CVE-2026-44909

Red Hat Affected

Notified:  2026-05-05 Updated: 2026-07-16

Statement Date:   July 15, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Affected

Vendor Statement

We have not received a statement from the vendor.

SUSE Linux Affected

Notified:  2026-05-05 Updated: 2026-07-16

Statement Date:   June 11, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Affected

Vendor Statement

We are shipping apache2 and nginx and other http/2 implementations and will implement guidance or fixes as suggested by upstream.

Yahoo Inc. Affected

Notified:  2026-05-05 Updated: 2026-07-16

Statement Date:   July 15, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Affected

Vendor Statement

Apache Traffic Server's HTTP/2 stream limit (proxy.config.http2.max_active_streams_in) was advisory only, so a remote client could open concurrent streams faster than the throttle took effect and exhaust proxy memory, causing a denial of service. Fixed in 9.2.14 and 10.1.3 by hard-enforcing the limit with HTTP/2 REFUSED_STREAM. CVE-2026-59173

Cloudflare Not Affected

Notified:  2026-05-05 Updated: 2026-07-16

Statement Date:   July 02, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Eclipse Foundation Not Affected

Notified:  2026-05-05 Updated: 2026-07-16

Statement Date:   July 15, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Not Affected

Vendor Statement

We have not received a statement from the vendor.

eCosCentric Not Affected

Notified:  2026-05-05 Updated: 2026-07-16

Statement Date:   May 06, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Not Affected

Vendor Statement

No HTTP/2 implementations are shipped with eCosPro RTOS

Fastly Not Affected

Notified:  2026-05-05 Updated: 2026-07-16

Statement Date:   May 08, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Not Affected

Vendor Statement

This vulnerability depends on the buffer size for upstream data being set to SIZE_MAX. The Fastly implementation of h2o's max buffer size for upstream data is set to a small number (instead of the default unlimited size), then Fastly is not vulnerable.

GitHub Not Affected

Notified:  2026-05-05 Updated: 2026-07-16

Statement Date:   May 13, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Not Affected

Vendor Statement

We were unable to reproduce the impact the researcher described using the POC.

It appears this attack does not pose a significant impact or only poses an impact in a small selection of use cases.

GNU wget Not Affected

Notified:  2026-05-05 Updated: 2026-07-16

Statement Date:   July 10, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Go Programming Language Not Affected

Notified:  2026-05-05 Updated: 2026-07-16

Statement Date:   May 05, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Not Affected

Vendor Statement

We have not received a statement from the vendor.

gRPC Not Affected

Notified:  2026-05-05 Updated: 2026-07-16

Statement Date:   May 12, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Not Affected

Vendor Statement

We have not received a statement from the vendor.

HAProxy Not Affected

Notified:  2026-05-05 Updated: 2026-07-16

Statement Date:   May 05, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Not Affected

Vendor Statement

We have not received a statement from the vendor.

hyperium Not Affected

Notified:  2026-05-13 Updated: 2026-07-16

Statement Date:   May 14, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Not Affected

Vendor Statement

We have not received a statement from the vendor.

IETF HTTP Working Group Not Affected

Notified:  2026-04-14 Updated: 2026-07-16

Statement Date:   July 16, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Not Affected

Vendor Statement

The HTTP/2 specification is not the right target for this disclosure.

This is not the first time that vulnerability disclosures have been opened on this specification. Thus far, no vulnerability has applied to the specification. Then, as now, the problem is with implementations.

When writing standards, the goal is to facilitate secure interoperation between two parties. If a competent team of engineers can achieve that goal by following the specification, then the specification is good.

The responsibility lies with the engineers building implementations, not the specification. If an engineer builds an implementation with a buffer overflow, that is on them, not the specification. Likewise, if there is a denial of service issue, that's on the engineers and the implementation, not the spec.

For this case, RFC 9113 does make some attempt to provide implementers some help in dealing with denial of service, but it is very clear that it cannot provide comprehensive instructions. It does seem like this is common enough bug that it would be worth adding to the advice if we had an opportunity to revise the RFC.

The right thing to do here is to open disclosures on affected implementations.

Internet Systems Consortium Not Affected

Notified:  2026-05-05 Updated: 2026-07-16

Statement Date:   May 07, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Not Affected

Vendor Statement

None of tested BIND versions are vulnerable. Even in the worst case of artificial 64k DNS responses and 100 concurrent queries per connection (default limit), peak memory usage is about 1.6 MB per HTTP/2+TLS connection. Inactive connections are closed by timer after 30 seconds (default limit).

Tested on:
- bind-9.18 commit 0a84d255
- bind-9.20 commit 93cfd196
- main commit d12d3b2c

References

LANCOM Systems GmbH Not Affected

Notified:  2026-05-05 Updated: 2026-07-16

Statement Date:   June 17, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Not Affected

Vendor Statement

We have not received a statement from the vendor.

lighttpd Not Affected

Notified:  2026-05-05 Updated: 2026-07-16

Statement Date:   May 12, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Not Affected

Vendor Statement

We have not received a statement from the vendor.

LiteSpeed Technologies Not Affected

Notified:  2026-05-05 Updated: 2026-07-16

Statement Date:   May 08, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Not Affected

Vendor Statement

We have not received a statement from the vendor.

netsnmp Not Affected

Notified:  2026-05-05 Updated: 2026-07-16

Statement Date:   May 09, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Not Affected

Vendor Statement

We have not received a statement from the vendor.

nghttp2 Not Affected

Notified:  2026-05-05 Updated: 2026-07-16

Statement Date:   May 06, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Paessler Not Affected

Notified:  2026-05-05 Updated: 2026-07-16

Statement Date:   May 06, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Softvelum Not Affected

Notified:  2026-05-05 Updated: 2026-07-16

Statement Date:   May 15, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Tempesta Not Affected

Notified:  2026-05-05 Updated: 2026-07-16

Statement Date:   May 09, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Not Affected

Vendor Statement

This attack relates to Data Dribble (CVE-2019-9511) and our CI verifies that Tempesta FW blocks clients producing many HTTP/2 slow streams requesting large resources.

X.org Foundation Not Affected

Notified:  2026-05-05 Updated: 2026-07-16

Statement Date:   July 15, 2026

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Not Affected

Vendor Statement

The X.Org Foundation does not produce nor ship any HTTP/2 implementations.

Akamai Technologies Inc. Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Amazon Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

AMD Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

AMPHP Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Apache HTTP Server Project Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Apache Tomcat Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Apple Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Arista Networks Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Aruba Networks Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Bell Canada Enterprises Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

BlackBerry Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Broadcom Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Cambium Networks Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Canonical Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Cisco Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Cricket Wireless Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

CZ.NIC Unknown

Notified:  2026-05-07 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Debian GNU/Linux Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Digi International Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

dnsmasq Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

DragonFly BSD Project Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Edg.io Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

eero Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Envoy Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Fortinet Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Google Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Hex Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

IBM Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

IETF Unknown

Notified:  2026-04-14 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Infoblox Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Intel Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Juniper Networks Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

LG Electronics Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Microsoft Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Mozilla Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Muonics Inc. Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

NEC Corporation Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

NetBSD Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Netflix Inc. Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

NETGEAR Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Netty Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

NGINX Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

NLnet Labs Unknown

Notified:  2026-05-07 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Node.js Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

OpenConnect Ltd Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Oracle Corporation Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Oryx Embedded Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Palo Alto Networks Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

PayPal Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Peplink Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

pfSense Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Philips Electronics Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Philips Healthcare Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

PowerDNS Unknown

Notified:  2026-05-08 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Pulse Secure Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Quadros Systems Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Qualcomm Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Riverbed Technologies Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Ruby Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Ruby Gems HTTP-2 Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Rust Security Response WG Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Samsung Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Sonos Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Sony Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Sophos Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Symantec Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Synology Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

TCPWave Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Technicolor Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Tenable Network Security Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

TIBCO Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

TippingPoint Technologies Inc. Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Tizen Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Toshiba Corporation Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Twisted Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Ubiquiti Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Ubuntu Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Unisys Corporation Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Untangle Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Varnish Software Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Viasat Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

VMware Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Wind River Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Wireshark Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

wolfSSL Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Xiaomi Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Xilinx Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Zebra Technologies Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Zephyr Project Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

Zyxel Unknown

Notified:  2026-05-05 Updated: 2026-07-16

CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 Unknown

Vendor Statement

We have not received a statement from the vendor.

View all 118 vendors View less vendors


Other Information

CVE IDs: CVE-2026-59762, CVE-2026-59173, CVE-2026-44909
API URL: VINCE JSON | CSAF
Date Public: 2026-07-16
Date First Published: 2026-07-16
Date Last Updated: 2026-07-16 18:41 UTC
Document Revision: 3

Sponsored by CISA.