CERT/CC disclosed VU#885548, a denial-of-service condition in some HTTP/2 server implementations that can be triggered remotely without authentication by abusing stalled flow-control behavior. An attacker can advertise settings such as SETTINGS_INITIAL_WINDOW_SIZE = 0 or stop sending WINDOW_UPDATE frames, forcing servers to buffer large response bodies in memory across many concurrent streams. The resulting impact can include memory exhaustion, swap thrashing, worker or connection exhaustion, service instability, and in severe cases a full crash. Okta Red Team was credited with reporting the issue, and the advisory linked the problem to CVE-2026-59762, CVE-2026-59173, and CVE-2026-44909.
F5 said CVE-2026-59762 affects BIG-IP and related BIG-IP Next products when an HTTP/2 profile is configured on a virtual server, allowing crafted requests to drive up memory use in the TMM process until performance degrades or TMM restarts; the company rated the flaw CVSS 7.5 under v3.1 and 8.7 under v4.0 and urged customers to install patched releases. Apache also confirmed CVE-2026-59173 in Apache Traffic Server versions 9.0.0 through 9.2.13 and 10.0.0 through 10.1.2, recommending upgrades to 9.2.14+ or 10.1.3+. CERT noted that several vendors have already issued fixes, while some products including GNU wget, Go, HAProxy, ISC BIND, lighttpd, and nghttp2 were listed as not affected.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Apache Traffic Server disclosed that versions 9.0.0 through 9.2.13 and 10.0.0 through 10.1.2 are affected by a stalled HTTP/2 flow-control denial-of-service vulnerability tracked as CVE-2026-59173. The Apache Software Foundation advised upgrading to versions 9.2.14+ or 10.1.3+, and credited Okta Red Team with reporting the issue.
CERT/CC published Vulnerability Note VU#885548 describing a denial-of-service issue in some HTTP/2 server implementations caused by stalled flow-control conditions. The note associated CVE-2026-59762, CVE-2026-59173, and CVE-2026-44909 with the issue, credited Okta Red Team for reporting it, and said several vendors had already issued fixes.
A CVE record for CVE-2026-59173 was reserved by a CVE Numbering Authority, with no public vulnerability details provided at that time.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
seclists.org
Open sourceseclists.org
Open sourcecvefeed.io
Open sourcecve.org
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.