Overview
A denial-of-service (DoS) vulnerability exists in some HTTP/2 server implementations that fail to adequately limit resource consumption when buffering response data under stalled flow-control conditions. A remote, unauthenticated attacker can trigger memory exhaustion and service interruption by using standard flow-control parameters such as SETTINGS_INITIAL_WINDOW_SIZE = 0 to stall outbound data for multiple simultaneous request streams.
Description
HTTP/2 is a widely used application-layer protocol that supports multiplexing, header compression, and flow-control mechanisms to regulate the transmission of data between web browsers and servers. Flow control is designed to prevent senders from overwhelming receivers and relies on client-advertised window sizes to determine the maximum volume of unacknowledged data that can be in transit at any given time.
A client can intentionally stall outbound flow control by withholding WINDOW_UPDATE frames or by advertising SETTINGS_INITIAL_WINDOW_SIZE = 0. In some HTTP/2 implementations, the server continues processing requests and generating complete response bodies even though it is unable to transmit them. The resulting response data remains buffered in memory, and each stalled stream retains its allocated buffer until the connection closes or a timeout occurs.
An attacker can exploit this behavior by opening many simultaneous streams and requesting large resources, causing the server to accumulate large amounts of buffered response data. In environments with permissive resource limits, this can lead to excessive memory consumption, swap exhaustion, service instability, and, in severe cases, system crashes. Even under more conservative limits, the attack can exhaust worker or connection resources and degrade service availability.
Impact
A remote, unauthenticated attacker can cause denial-of-service conditions on affected HTTP/2 server implementations. Under high resource limits, an attacker may be able to induce unbounded memory amplification resulting in OOM kills, severe swap thrashing, or full system unresponsiveness. Under default or lower limits, the attack can exhaust available connections or worker resources, temporarily preventing new clients from establishing sessions and degrading overall service availability.
Solution
Several vendors have addressed this vulnerability in recent updates; see the Vendor Information section for individual CVEs and remediation details. Implementations that enforce memory ceilings, restrict concurrent stream counts, and actively terminate stalled connections can substantially reduce the risk of denial-of-service conditions.
Acknowledgements
Thanks to the Okta Red Team for researching and reporting this vulnerability. This document was written by Molly Jaconski.
Vendor Information
Apache Traffic Server Project Affected
Statement Date: July 02, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Affected |
Vendor Statement
We have not received a statement from the vendor.
CERT Addendum
CVE-2026-59173
Citrix Affected
Statement Date: July 15, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Affected |
Vendor Statement
The vulnerability impacts NetScaler ADC and NetScaler Gateway when HTTP/2 is enabled in the HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler.
Customers are recommended to install the relevant updated versions as soon as possible -
* NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases
* NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1
* NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS
* NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP
After the upgrade, configure the Http2SmallWndTimeout parameter, which controls the timeout (in seconds) for HTTP/2 small‑window stalled streams.
* For appliances using HTTP Strict Profiles, this parameter defaults to 30 seconds, and the fix is effective immediately after the upgrade. If you are already using HTTP Strict Profiles then you do not need to take any additional action. Only upgrade to the fixed builds will remediate the vulnerability.
* For appliances NOT using HTTP Strict Profiles, the default value is 0, and in that case, merely upgrading to the builds containing the fix WILL NOT address the vulnerability completely. In this case, customers must manually set Http2SmallWndTimeout to 30 seconds.
Please note that Http2SmallWndTimeout is a new parameter and is only available in the firmware builds that contain the fix.
Configuration command:
set ns httpProfile <profile_name> -http2SmallWndTimeout <value_in_seconds>
F5 Networks Affected
Statement Date: July 15, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Affected |
Vendor Statement
We have not received a statement from the vendor.
References
- K000162231: BIG-IP HTTP/2 vulnerability CVE-2026-59762
- https://my.f5.com/manage/s/article/K000162231
Meta Affected
Statement Date: May 21, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Affected |
Vendor Statement
We have not received a statement from the vendor.
CERT Addendum
CVE-2026-44909
Red Hat Affected
Statement Date: July 15, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Affected |
Vendor Statement
We have not received a statement from the vendor.
SUSE Linux Affected
Statement Date: June 11, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Affected |
Vendor Statement
We are shipping apache2 and nginx and other http/2 implementations and will implement guidance or fixes as suggested by upstream.
Yahoo Inc. Affected
Statement Date: July 15, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Affected |
Vendor Statement
Apache Traffic Server's HTTP/2 stream limit (proxy.config.http2.max_active_streams_in) was advisory only, so a remote client could open concurrent streams faster than the throttle took effect and exhaust proxy memory, causing a denial of service. Fixed in 9.2.14 and 10.1.3 by hard-enforcing the limit with HTTP/2 REFUSED_STREAM. CVE-2026-59173
Cloudflare Not Affected
Statement Date: July 02, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Eclipse Foundation Not Affected
Statement Date: July 15, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
eCosCentric Not Affected
Statement Date: May 06, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Not Affected |
Vendor Statement
No HTTP/2 implementations are shipped with eCosPro RTOS
Fastly Not Affected
Statement Date: May 08, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Not Affected |
Vendor Statement
This vulnerability depends on the buffer size for upstream data being set to SIZE_MAX. The Fastly implementation of h2o's max buffer size for upstream data is set to a small number (instead of the default unlimited size), then Fastly is not vulnerable.
GitHub Not Affected
Statement Date: May 13, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Not Affected |
Vendor Statement
We were unable to reproduce the impact the researcher described using the POC.
It appears this attack does not pose a significant impact or only poses an impact in a small selection of use cases.
GNU wget Not Affected
Statement Date: July 10, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Go Programming Language Not Affected
Statement Date: May 05, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
gRPC Not Affected
Statement Date: May 12, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
HAProxy Not Affected
Statement Date: May 05, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
hyperium Not Affected
Statement Date: May 14, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
IETF HTTP Working Group Not Affected
Statement Date: July 16, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Not Affected |
Vendor Statement
The HTTP/2 specification is not the right target for this disclosure.
This is not the first time that vulnerability disclosures have been opened on this specification. Thus far, no vulnerability has applied to the specification. Then, as now, the problem is with implementations.
When writing standards, the goal is to facilitate secure interoperation between two parties. If a competent team of engineers can achieve that goal by following the specification, then the specification is good.
The responsibility lies with the engineers building implementations, not the specification. If an engineer builds an implementation with a buffer overflow, that is on them, not the specification. Likewise, if there is a denial of service issue, that's on the engineers and the implementation, not the spec.
For this case, RFC 9113 does make some attempt to provide implementers some help in dealing with denial of service, but it is very clear that it cannot provide comprehensive instructions. It does seem like this is common enough bug that it would be worth adding to the advice if we had an opportunity to revise the RFC.
The right thing to do here is to open disclosures on affected implementations.
Internet Systems Consortium Not Affected
Statement Date: May 07, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Not Affected |
Vendor Statement
None of tested BIND versions are vulnerable. Even in the worst case of artificial 64k DNS responses and 100 concurrent queries per connection (default limit), peak memory usage is about 1.6 MB per HTTP/2+TLS connection. Inactive connections are closed by timer after 30 seconds (default limit).
Tested on:
- bind-9.18 commit 0a84d255
- bind-9.20 commit 93cfd196
- main commit d12d3b2c
References
LANCOM Systems GmbH Not Affected
Statement Date: June 17, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
lighttpd Not Affected
Statement Date: May 12, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
LiteSpeed Technologies Not Affected
Statement Date: May 08, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
netsnmp Not Affected
Statement Date: May 09, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
nghttp2 Not Affected
Statement Date: May 06, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Paessler Not Affected
Statement Date: May 06, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Softvelum Not Affected
Statement Date: May 15, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Tempesta Not Affected
Statement Date: May 09, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Not Affected |
Vendor Statement
This attack relates to Data Dribble (CVE-2019-9511) and our CI verifies that Tempesta FW blocks clients producing many HTTP/2 slow streams requesting large resources.
X.org Foundation Not Affected
Statement Date: July 15, 2026
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Not Affected |
Vendor Statement
The X.Org Foundation does not produce nor ship any HTTP/2 implementations.
Akamai Technologies Inc. Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Amazon Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
AMD Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
AMPHP Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Apache HTTP Server Project Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Apache Tomcat Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Apple Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Arista Networks Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Aruba Networks Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Bell Canada Enterprises Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
BlackBerry Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Broadcom Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Cambium Networks Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Canonical Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Cisco Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Cricket Wireless Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
CZ.NIC Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Debian GNU/Linux Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Digi International Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
dnsmasq Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
DragonFly BSD Project Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Edg.io Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
eero Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Envoy Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Fortinet Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Google Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Hex Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
IBM Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
IETF Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Infoblox Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Intel Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Juniper Networks Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
LG Electronics Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Microsoft Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Mozilla Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Muonics Inc. Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
NEC Corporation Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
NetBSD Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Netflix Inc. Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
NETGEAR Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Netty Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
NGINX Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
NLnet Labs Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Node.js Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
OpenConnect Ltd Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Oracle Corporation Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Oryx Embedded Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Palo Alto Networks Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
PayPal Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Peplink Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
pfSense Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Philips Electronics Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Philips Healthcare Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
PowerDNS Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Pulse Secure Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Quadros Systems Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Qualcomm Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Riverbed Technologies Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Ruby Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Ruby Gems HTTP-2 Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Rust Security Response WG Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Samsung Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Sonos Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Sony Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Sophos Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Symantec Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Synology Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
TCPWave Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Technicolor Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Tenable Network Security Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
TIBCO Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
TippingPoint Technologies Inc. Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Tizen Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Toshiba Corporation Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Twisted Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Ubiquiti Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Ubuntu Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Unisys Corporation Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Untangle Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Varnish Software Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Viasat Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
VMware Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Wind River Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Wireshark Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
wolfSSL Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Xiaomi Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Xilinx Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Zebra Technologies Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Zephyr Project Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Zyxel Unknown
| CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Other Information
| CVE IDs: | CVE-2026-59762, CVE-2026-59173, CVE-2026-44909 |
| API URL: | VINCE JSON | CSAF |
| Date Public: | 2026-07-16 |
| Date First Published: | 2026-07-16 |
| Date Last Updated: | 2026-07-16 18:41 UTC |
| Document Revision: | 3 |