Zero Day MonitorZDM

← Back to list

5.3

CVE-2026-28898EXPLOITEDPATCHED

apple · swift-nio-http2

CVE-2026-28898: swift-nio-http2's HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before placing t

Description

swift-nio-http2's HTTP/2-to-HTTP/1.1 codec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. swift-nio-http2 1.44.1 adds validation of all pseudo-header values (:path, :authority, :scheme, :method, and :status) at both the HPACK header validation layer and the HTTP/2-to-HTTP/1.1 translation layer. Requests or responses containing CR, LF, or NUL bytes in any pseudo-header value are now rejected with a connection error. This issue is fixed in swift-nio-http2 1.44.1.

Affected Products

Vendor	Product	Versions
apple	swift-nio-http2	0

References

https://github.com/advisories/GHSA-4px2-pw77-vc85

Related News (1 articles)

Tier C

VulDB4d ago

CVE-2026-28898 | Apple swift-nio-http2 up to 1.44.0 Header Validation escape output (GHSA-4px2-pw77-vc85)

→ No new info (linked only)

CVSS 3.15.3 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

github.com/apple/swift-nio-http2@1.44.1

PublishedJun 12, 2026

Last enriched3d agov2

Tags

GHSA-4px2-pw77-vc85swift

Trending Score32

Source articles1

Independent1

Info Completeness8/14

Missing: epss, cwe, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-49269

CVE-2026-49269: Apple M1 GPUs retain register file data between compute shader dispatches from different processes. A sandboxed Metal at

Multiple vulnerabilities in Apple iOS, iPadOS, and macOS Tahoe

CRITICALCVE-2025-24284

CVE-2025-24284: This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in macOS Sequoia 15.4

HIGHCVE-2025-31272

CVE-2025-31272: The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4. An app may be able to bypass la

CRITICALCVE-2025-46293

CVE-2025-46293: This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.4. An app may be ab

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 12, 2026

Discovered by ZDM

Jun 12, 2026

Actively Exploited

Jun 25, 2026

Patch Available

Jun 25, 2026

Updated: severity, activelyExploited

Jun 25, 2026

Version History

v2

Last enriched 3d ago

v2Tier C3d ago

Updated severity to CRITICAL, noted that no exploit is available, and marked the vulnerability as actively exploited.

severityactivelyExploited

via VulDB

v117d ago

Initial creation