Zero Day MonitorZDM

← Back to list

5.3

CVE-2026-28898EXPLOITEDPATCHED

apple · swift-nio-http2

CVE-2026-28898: swift-nio-http2's HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before placing t

Description

swift-nio-http2's HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. swift-nio-http2 1.44.1 adds validation of all pseudo-header values (:path, :authority, :scheme, :method, and :status) at both the HPACK header validation layer and the HTTP/2-to-HTTP/1.1 translation layer. Requests or responses containing CR, LF, or NUL bytes in any pseudo-header value are now rejected with a connection error. This issue is fixed in swift-nio-http2 1.44.1.

Affected Products

Vendor	Product	Versions
apple	swift-nio-http2	0

References

https://github.com/advisories/GHSA-4px2-pw77-vc85

Related News (1 articles)

Tier C

VulDB4d ago

CVE-2026-28898 | Apple swift-nio-http2 up to 1.44.0 Header Validation escape output (GHSA-4px2-pw77-vc85)

→ No new info (linked only)

CVSS 3.15.3 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

github.com/apple/swift-nio-http2@1.44.1

PublishedJun 12, 2026

Last enriched4d agov2

Tags

GHSA-4px2-pw77-vc85swift

Trending Score32

Source articles1

Independent1

Info Completeness8/14

Missing: epss, cwe, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-43715EXP

CVE-2026-43715: A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 a

CRITICALCVE-2026-43731EXP

CVE-2026-43731: A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 a

CRITICALCVE-2026-43699EXP

CVE-2026-43699: A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 a

CRITICALCVE-2026-43709EXP

CVE-2026-43709: A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 a

CRITICALCVE-2026-43718EXP

CVE-2026-43718: A stack overflow was addressed with improved input validation. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPad

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 12, 2026

Discovered by ZDM

Jun 12, 2026

Actively Exploited

Jun 25, 2026

Patch Available

Jun 25, 2026

Updated: severity, activelyExploited

Jun 25, 2026

Version History

v2

Last enriched 4d ago

v2Tier C4d ago

Updated severity to CRITICAL, noted that no exploit is available, and marked the vulnerability as actively exploited.

severityactivelyExploited

via VulDB

v117d ago

Initial creation