Bug 2456538 (CVE-2026-39865)

Summary: CVE-2026-39865 axios: Axios: Denial of Service via HTTP/2 session cleanup logic state corruption
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, abrianik, abuckta, akostadi, alcohan, alizardo, amasferr, anthomas, bbrownin, bdettelb, brasmith, caswilli, chfoley, cmah, cmyers, cochase, dbosanac, dhanak, dkuc, dmayorov, dnakabaa, doconnor, dranck, drosa, dschmidt, dymurray, eaguilar, ebaron, eborisov, ehelms, erezende, ewittman, fdeutsch, ggainey, ggrzybek, gmalinko, gparvin, ibek, ibolton, janstey, jbalunas, jchui, jhe, jkoehler, jlanda, jlledo, jmatthew, jmontleo, jolong, jraez, jreimann, jrokos, juwatts, kaycoth, kshier, ktsao, lball, lchilton, lcouzens, lphiri, mdessi, mhulan, mnovotny, mrizzi, nboldt, ngough, nipatil, nmoumoul, oaljalju, orabin, oramraz, osousa, pahickey, pantinor, parichar, pcattana, pcreech, pdelbell, pgaikwad, pjindal, psrna, rchan, rgodfrey, rhaigner, rhel-process-autobot, rjohnson, rkubis, rstepani, sausingh, sdawley, sdoran, sfeifer, simaishi, slucidi, smallamp, smcdonal, smullick, sseago, stcannon, stirabos, swoodman, tasato, teagle, thason, tmalecek, tsedmik, veshanka, watson-tool-maintainers, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Axios, a promise-based HTTP client. A malicious server can exploit a state corruption bug within the HTTP/2 session cleanup logic, specifically in the Http2Sessions.getSession() method. By initiating concurrent session closures, the server can trigger a control flow error, leading to a client process crash. This vulnerability results in a Denial of Service (DoS) for the client application.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2456565, 2456568, 2456570, 2456573, 2456574, 2456576, 2456578, 2456566, 2456567, 2456569, 2456571, 2456572, 2456575, 2456577    
Bug Blocks:    

Description OSIDB Bzimport 2026-04-08 15:02:15 UTC 
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array. This vulnerability is fixed in 1.13.2.