JLSEC-2026-4

See a problem?
Please try reporting it to the source first.
Source
https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2026/JLSEC-2026-4.md
Import Source
https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-4.json
JSON Data
https://api.test.osv.dev/v1/vulns/JLSEC-2026-4
Upstream
Published
2026-03-23T22:38:33.248Z
Modified
2026-03-23T22:45:06.927565Z
Summary
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C
Details

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.

Database specific 
{
    "sources": [
        {
            "published": "2024-04-04T15:15:38.427Z",
            "imported": "2026-03-23T22:20:24.459Z",
            "id": "CVE-2024-28182",
            "modified": "2025-11-04T19:17:05.097Z",
            "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-28182",
            "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28182"
        }
    ],
    "license": "CC-BY-4.0"
}
References

Affected packages

Julia / nghttp2_jll

Package

Name
nghttp2_jll
Purl
pkg:julia/nghttp2_jll?uuid=8e850ede-7688-5339-a07c-302acd2aaf8d

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.61.0+0

Database specific

source 
"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-4.json"