High severity7.5NVD Advisory· Published May 8, 2018· Updated Jun 17, 2026
CVE-2018-1000168
CVE-2018-1000168
Description
nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
32- osv-coords31 versionspkg:rpm/opensuse/nghttp2&distro=openSUSE%20Tumbleweedpkg:rpm/suse/firefox-atk&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-cairo&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-gdk-pixbuf&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-glib2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-gtk3&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-harfbuzz&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-libffi&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-libffi-gcc5&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-pango&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/MozillaFirefox-branding-SLED&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/mozilla-nspr&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/mozilla-nss&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/nghttp2&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/nghttp2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/nghttp2&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/nghttp2&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/nghttp2&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/nghttp2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/nghttp2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/nodejs8&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015
< 1.43.0-1.6+ 30 more
- (no CPE)range: < 1.43.0-1.6
- (no CPE)range: < 2.26.1-2.8.4
- (no CPE)range: < 1.15.10-2.13.4
- (no CPE)range: < 2.36.11-2.8.4
- (no CPE)range: < 2.54.3-2.14.7
- (no CPE)range: < 3.10.9-2.15.3
- (no CPE)range: < 1.7.5-2.7.4
- (no CPE)range: < 3.2.1.git259-2.3.3
- (no CPE)range: < 5.3.1+r233831-14.1
- (no CPE)range: < 1.40.14-2.7.4
- (no CPE)range: < 68-21.9.8
- (no CPE)range: < 68.2.0-78.51.4
- (no CPE)range: < 4.21-29.6.1
- (no CPE)range: < 3.45-38.9.3
- (no CPE)range: < 1.39.2-3.5.1
- (no CPE)range: < 1.39.2-3.5.1
- (no CPE)range: < 1.39.2-3.5.1
- (no CPE)range: < 1.39.2-3.5.1
- (no CPE)range: < 1.39.2-3.5.1
- (no CPE)range: < 1.39.2-3.5.1
- (no CPE)range: < 1.39.2-3.5.1
- (no CPE)range: < 1.39.2-3.5.1
- (no CPE)range: < 1.39.2-3.5.1
- (no CPE)range: < 1.39.2-3.5.1
- (no CPE)range: < 1.39.2-3.5.1
- (no CPE)range: < 1.39.2-3.5.1
- (no CPE)range: < 1.39.2-3.5.1
- (no CPE)range: < 1.39.2-3.5.1
- (no CPE)range: < 1.39.2-3.5.1
- (no CPE)range: < 1.39.2-3.5.1
- (no CPE)range: < 8.11.3-3.5.1
Patches
Vulnerability mechanics
References
6- www.securityfocus.com/bid/103952nvdBroken LinkThird Party AdvisoryVDB Entry
- access.redhat.com/errata/RHSA-2019:0366nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2019:0367nvdThird Party Advisory
- lists.debian.org/debian-lts-announce/2021/10/msg00011.htmlnvdMailing ListThird Party Advisory
- nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/nvdVendor Advisory
- nodejs.org/en/blog/vulnerability/june-2018-security-releases/nvdRelease NotesThird Party Advisory
News mentions
0No linked articles in our index yet.