oss-sec mailing list archives

CVE-2026-59173: Apache Traffic Server is vulnerable to stalled HTTP/2 flow-control


From: Masakazu Kitajo <maskit () apache org>
Date: Thu, 16 Jul 2026 23:46:34 -0600

Apache Traffic Server is vulnerable to stalled HTTP/2 flow-control.

CVE:
CVE-2026-59173 - DoS vulnerability in HTTP/2 via stalled flow-control
conditions

Severity:
important

Reported By:
Okta Red Team

Vendor:
The Apache Software Foundation

Version Affected:
ATS 9.0.0 to 9.2.13
ATS 10.0.0 to 10.1.2

Mitigation:
9.x users should upgrade to 9.2.14 or later versions
10.x users should upgrade to 10.1.3 or later versions

Reference:
https://www.cve.org/CVERecord?id=CVE-2026-59173

Current thread: