{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-49975", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-06-02T17:20:37.983Z", "datePublished": "2026-06-08T15:26:04.674Z", "dateUpdated": "2026-06-09T15:25:56.229Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache HTTP Server", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.4.67", "status": "affected", "version": "2.4.17", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Quang Luong of Calif.IO in collaboration with OpenAI Codex"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests.</p><p>This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.</p><p><br></p>"}], "value": "Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests.\n\nThis issue affects Apache HTTP Server: from 2.4.17 through 2.4.67."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-789", "description": "CWE-789 Memory Allocation with Excessive Size Value", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-06-08T15:26:04.674Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2026-05-26T12:00:00.000Z", "value": "reported"}, {"lang": "en", "time": "2026-05-27T12:00:00.000Z", "value": "fixed upstream in mod_h2 https://github.com/icing/mod_h2/commit/35c6e405390ed361189a82acd96675401ea5947c"}, {"lang": "en", "time": "2026-06-02T12:00:00.000Z", "value": "fixed in 2.4.x by r1934882"}, {"lang": "eng", "time": "2026-06-08T12:00:00.000Z", "value": "2.4.68 released"}], "title": "Apache HTTP Server: mod_http2 denial of service", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/06/03/3"}, {"url": "https://lists.debian.org/debian-lts-announce/2026/06/msg00009.html"}, {"url": "http://www.openwall.com/lists/oss-security/2026/06/08/16"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-06-08T22:32:35.729Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-06-09T15:25:51.036143Z", "id": "CVE-2026-49975", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-09T15:25:56.229Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-49975", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-09T15:25:51.036143Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-06-09T15:25:45.811Z"}}], "cna": {"title": "Apache HTTP Server: mod_http2 denial of service", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Quang Luong of Calif.IO in collaboration with OpenAI Codex"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache HTTP Server", "versions": [{"status": "affected", "version": "2.4.17", "versionType": "semver", "lessThanOrEqual": "2.4.67"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-05-26T12:00:00.000Z", "value": "reported"}, {"lang": "en", "time": "2026-05-27T12:00:00.000Z", "value": "fixed upstream in mod_h2 https://github.com/icing/mod_h2/commit/35c6e405390ed361189a82acd96675401ea5947c"}, {"lang": "en", "time": "2026-06-02T12:00:00.000Z", "value": "fixed in 2.4.x by r1934882"}, {"lang": "eng", "time": "2026-06-08T12:00:00.000Z", "value": "2.4.68 released"}], "references": [{"url": "https://httpd.apache.org/security/vulnerabilities_24.html", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests.\n\nThis issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.", "supportingMedia": [{"type": "text/html", "value": "<p>Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests.</p><p>This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.</p><p><br></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-789", "description": "CWE-789 Memory Allocation with Excessive Size Value"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-06-08T15:26:04.674Z"}}}, "cveMetadata": {"cveId": "CVE-2026-49975", "state": "PUBLISHED", "dateUpdated": "2026-06-08T22:32:35.729Z", "dateReserved": "2026-06-02T17:20:37.983Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-06-08T15:26:04.674Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "DD819875-456D-45A6-90C9-4EDA544029A4", "versionEndExcluding": "2.4.68", "versionStartIncluding": "2.4.17", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*", "matchCriteriaId": "E4C30BEE-3999-49BA-B96B-127E0BE9E954", "versionEndExcluding": "1.29.8", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests.\n\nThis issue affects Apache HTTP Server: from 2.4.17 through 2.4.67."}], "id": "CVE-2026-49975", "lastModified": "2026-06-10T19:36:37.510", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-06-08T16:16:44.223", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/06/03/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/06/08/16"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2026/06/msg00009.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-789"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack", "id": "2485371", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2485371"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-409", "details": ["A flaw was found in HTTP/2, affecting various web servers. A remote attacker can exploit this vulnerability by combining an HPACK compression bomb with a zero-byte flow-control window. This technique allows a small amount of data to expand into large memory allocations on the server, which are then held, leading to a denial of service (DoS) by rendering the server inaccessible."], "mitigation": {"lang": "en:us", "value": "There's no current mitigation for Apache's httpd server other than disabling HTTP/2 support for the VirtualHost. This is achieved by adding the following line into the configuration of a given virtual host:\n~~~\nProtocols http/1.1\n~~~\nAfter the change is in place the `httpd` service need to be restarted by running:\n~~~\nsystemctl restart httpd\n~~~\nNotice this change will force the httpd to only support HTTPv1.1 protocol."}, "name": "CVE-2026-49975", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Under investigation", "package_name": "openshift-service-mesh/proxyv2-rhel9", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Under investigation", "package_name": "openshift-service-mesh/istio-proxyv2-rhel9", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "mod_http2", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "mod_http2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "mod_http2", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "httpd", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:insights_proxy:1", "fix_state": "Affected", "package_name": "insights-proxy/insights-proxy-container-rhel9", "product_name": "Red Hat Lightspeed proxy 1"}], "public_date": "2026-06-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-49975\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-49975\nhttps://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb"], "statement": "There's and important denial-of-service vulnerability affecting the Apache's `httpd` HTTP/2 protocol implementation. An unauthenticated remote attacker can exploit this flaw by combining HPACK compression with flow control manipulation, leading to significant server memory exhaustion and rendering the service inaccessible. This vulnerability exists in default HTTP/2 configurations.", "threat_severity": "Important"}