Apache HTTP Server: mod_http2 denial of service
Summary
| CVE | CVE-2026-49975 |
|---|---|
| State | PUBLISHED |
| Assigner | apache |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-08 16:16:44 UTC |
| Updated | 2026-07-08 13:16:50 UTC |
| Description | Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS: 0.114710000 probability, percentile 0.954950000 (date 2026-07-08)
Problem Types: CWE-789 | CWE-409 | CWE-789 CWE-789 Memory Allocation with Excessive Size Value | CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Http Server | All | All | All | All |
| Operating System | Debian | Debian Linux | 11.0 | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:25057 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| www.openwall.com/lists/oss-security/2026/06/08/16 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | Mailing List, Third Party Advisory |
| httpd.apache.org/security/vulnerabilities_24.html | [email protected] | httpd.apache.org | Vendor Advisory |
| access.redhat.com/security/cve/CVE-2026-49975 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:25042 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| lists.debian.org/debian-lts-announce/2026/06/msg00009.html | af854a3a-2127-422b-91ae-364da2661108 | lists.debian.org | Mailing List, Third Party Advisory |
| access.redhat.com/errata/RHSA-2026:27201 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| www.openwall.com/lists/oss-security/2026/06/03/3 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | Mailing List, Third Party Advisory |
| access.redhat.com/errata/RHSA-2026:27114 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:25090 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:25225 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:27200 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49975.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| github.com/EQSTLab/CVE-2026-49975 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | github.com | Exploit, Third Party Advisory |
| access.redhat.com/errata/RHSA-2026:36373 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Quang Luong of Calif.IO in collaboration with OpenAI Codex (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-05-26T12:00:00.000Z | reported |
| CNA | 2026-05-27T12:00:00.000Z | fixed upstream in mod_h2 https://github.com/icing/mod_h2/commit/35c6e405390ed361189a82acd96675401ea5947c |
| CNA | 2026-06-02T12:00:00.000Z | fixed in 2.4.x by r1934882 |
| CNA | 2026-06-08T12:00:00.000Z | 2.4.68 released |
| ADP | 2026-06-05T06:04:44.009Z | Reported to Red Hat. |
| ADP | 2026-06-03T00:00:00.000Z | Made public. |
Solutions
ADP: RHSA-2026:27200: Red Hat JBoss Core Services on RHEL 7 Server, Red Hat JBoss Core Services on RHEL 8
ADP: RHSA-2026:25225: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:25090: Red Hat Enterprise Linux AppStream (v. 8)
ADP: RHSA-2026:36373: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8)
ADP: RHSA-2026:25057: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:25042: Red Hat Hardened Images
ADP: RHSA-2026:27201: Red Hat JBoss Core Services 2.4.62.SP4
ADP: RHSA-2026:27114: Red Hat OpenShift Service Mesh 2.6
Workarounds
ADP: See the security bulletin for a detailed mitigation procedure.