HTTP/2 Ghost Stream Denial of Service
Target:
[REDACTED] Edge & Service Proxy
Vulnerability Class:
Uncontrolled Resource Consumption (CWE-400)
CVE ID:
CVE-2026-XXXX
Discovered:
February 28, 2026
Executive Summary
Executive Summary
A denial of service vulnerability exists in [REDACTED] Edge & Service Proxy’s HTTP/2 implementation through ghost stream handling in the legacy nghttp2 codec.
Technical Details
The vulnerability allows attackers to create ghost HTTP/2 streams that consume unbounded resources, leading to denial of service.
OPSEC Note
Full technical details are embargoed until vendor patches are publicly available.
Impact Assessment
HTTP/2 ghost stream vulnerability enables denial of service through unbounded resource consumption in legacy nghttp2 codec.
Disclosure Timeline
- February 28, 2026: Vulnerability discovered
- March 05, 2026: Vendor notification
- March 25, 2026: Vendor acknowledged
- April 07, 2026: Patch status: Under development