CVE-2026-49975
published 2026-06-08CVE-2026-49975: Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue…
PriorityP353high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
11.47%
95.5th percentile
Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests.
This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | http_server | >= 2.4.17 < 2.4.68 | 2.4.68 |
| apache | httpd | — | — |
| apache_software_foundation | apache_http_server | 2.4.17 – 2.4.67 | — |
| debian | debian_linux | — | — |
| insights-proxy | insights-proxy-container-rhel9 | — | — |
| openshift-service-mesh | istio-proxyv2-rhel9 | — | — |
| openshift-service-mesh | proxyv2-rhel9 | — | — |
| ubuntu | apache2 | — | — |
| ubuntu | nginx | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests.
ghsa_unreviewed·2026-06-08
CVE-2026-49975 [HIGH] CWE-789 Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests.
Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests.
This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.
VulDB
Apache HTTP Server mod_http2 modules/http2/h2_util.c req_add_header HTTP/2 Bomb denial of service (Nessus ID 319609)
vuldb·2026-06-07
CVE-2026-49975 [CRITICAL] Apache HTTP Server mod_http2 modules/http2/h2_util.c req_add_header HTTP/2 Bomb denial of service (Nessus ID 319609)
A vulnerability categorized as critical has been discovered in Apache HTTP Server. This impacts the function req_add_header of the file modules/http2/h2_util.c of the component mod_http2. Executing a manipulation can lead to denial of service.
This vulnerability appears as CVE-2026-49975. The attack may be performed from remote. In addition, an exploit is available.
It is best practice to apply a patch to resolve this issue.
Ubuntu
nginx vulnerability
vendor_ubuntu·2026-06-15·CVSS 7.5
CVE-2026-49975 [HIGH] nginx vulnerability
Title: nginx vulnerability
Summary: nginx could be made to consume excessive resources if it received specially
crafted network traffic.
USN-8398-1 fixed a vulnerability in nginx. The update caused a regression
and was temporarily reverted in USN-8398-2. This update introduces a
complete fix for CVE-2026-49975.
We apologize for the inconvenience.
Original advisory details:
It was discovered that nginx incorrectly handled certain cookie headers in
the HTTP/2 implementation. A remote attacker could possibly use this issue
to cause nginx to consume excessive resources, resulting in a denial of
service.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
nginx regression
vendor_ubuntu·2026-06-09·CVSS 7.5
CVE-2026-49975 [HIGH] nginx regression
Title: nginx regression
Summary: USN-8398-1 introduced a regression in nginx
USN-8398-1 fixed a vulnerability in nginx. The update introduced a
regression causing nginx to crash when being used with external modules.
This update reverts the fix for CVE-2026-49975 pending further
investigation.
We apologize for the inconvenience.
Original advisory details:
It was discovered that nginx incorrectly handled certain cookie headers in
the HTTP/2 implementation. A remote attacker could possibly use this issue
to cause nginx to consume excessive resources, resulting in a denial of
service.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
nginx vulnerability
vendor_ubuntu·2026-06-08
CVE-2026-49975 nginx vulnerability
Title: nginx vulnerability
Summary: nginx could be made to consume excessive resources if it received specially
crafted network traffic.
It was discovered that nginx incorrectly handled certain cookie headers in
the HTTP/2 implementation. A remote attacker could possibly use this issue
to cause nginx to consume excessive resources, resulting in a denial of
service.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Apache HTTP Server vulnerability
vendor_ubuntu·2026-06-04
CVE-2026-49975 Apache HTTP Server vulnerability
Title: Apache HTTP Server vulnerability
Summary: Apache HTTP Server could be made to consume excessive resources if it
received specially crafted network traffic.
It was discovered that Apache HTTP Server incorrectly handled certain
cookie headers in the HTTP/2 implementation. A remote attacker could
possibly use this issue to cause Apache HTTP Server to consume excessive
resources, resulting in a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack
vendor_redhat·2026-06-03·CVSS 7.5
CVE-2026-49975 [HIGH] CWE-409 httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack
httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack
A flaw was found in HTTP/2, affecting various web servers. A remote attacker can exploit this vulnerability by combining an HPACK compression bomb with a zero-byte flow-control window. This technique allows a small amount of data to expand into large memory allocations on the server, which are then held, leading to a denial of service (DoS) by rendering the server inaccessible.
Statement: There's and important denial-of-service vulnerability affecting the Apache's `httpd` HTTP/2 protocol implementation. An unauthenticated remote attacker can exploit this flaw by combining HPACK compression with flow control manipulation, leading to significant server memory exhaustion and rendering the service inacces
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-49975 httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack [fedora-all]
bugzilla·2026-06-05
CVE-2026-49975 [HIGH] CVE-2026-49975 httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack [fedora-all]
CVE-2026-49975 httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Closing this tracker as the HTTP/2 support and vulnerable code is shipped through mod_http2 package instead of httpd.
Bugzilla
CVE-2026-49975 httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack
bugzilla·2026-06-05
CVE-2026-49975 [HIGH] CVE-2026-49975 httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack
CVE-2026-49975 httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack
We’re publishing HTTP/2 Bomb, a remote denial-of-service exploit against most major web servers, including:
nginx
Apache httpd
Microsoft IIS
Envoy
Cloudflare Pingora
The vulnerable behavior exists in each server's default HTTP/2 configuration.
The attack was discovered by Codex, which chained two techniques known to humans for a decade: a compression bomb and a Slowloris-style hold. The bomb targets HPACK, HTTP/2's header compression scheme: one byte on the wire becomes one full header allocation on the server, repeated thousands of times per request. The hold is a zero-byte flow-control window that keeps the server from ever freeing any of it.
A curious search on Shodan revealed
Bugzilla
CVE-2026-49975 nginx: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack [fedora-all]
bugzilla·2026-06-05
CVE-2026-49975 [HIGH] CVE-2026-49975 nginx: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack [fedora-all]
CVE-2026-49975 nginx: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Closing this tracker as the CVE ID associated to it should be used only by mod_http2 from the httpd server.
A new tracker was raised to track the NGINX instead.
*** This bug has been marked as a duplicate of bug 2485558 ***
Bugzilla
CVE-2026-49975 mod_http2: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack [fedora-all]
bugzilla·2026-06-05
CVE-2026-49975 [HIGH] CVE-2026-49975 mod_http2: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack [fedora-all]
CVE-2026-49975 mod_http2: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Hackernews
ThreatsDay Bulletin: Claude Chat Abuse, NastyC2 npm Packages, Device-Code Phishing + 25 More Stories
blogs_hackernews·2026-06-18
CVE-2026-20127 ThreatsDay Bulletin: Claude Chat Abuse, NastyC2 npm Packages, Device-Code Phishing + 25 More Stories
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ThreatsDay Bulletin: Claude Chat Abuse, NastyC2 npm Packages, Device-Code Phishing + 25 More Stories
The internet did not break this week. It got used exactly as designed, which is worse.
Searches were siphoned through shady browser add-ons. AI chat links turned into malware delivery paths. macOS attacks ran in memory and left almost nothing behind. Cloud agents looked like helpers until attackers treated them like open shells.
Add exposed edge gear, poisoned packages, cash courier scams, stealers, loaders, and phishing that barely bothers pretending anymore. Here’s the full mess.
Microsoft has announced that DNS-over-HTTP
Rapid7
Patch Tuesday - June 2026
blogs_rapid7·2026-06-09·CVSS 7.8
CVE-2026-33825 [HIGH] Patch Tuesday - June 2026
Microsoft is publishing 200 vulnerabilities on June 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild for any of these vulnerabilities, and is aware of public disclosure for three. This is similar to last month’s Patch Tuesday, however several of last month’s vulnerabilities ended up on CISA KEV in the days following their publication. So far this month, Microsoft has provided patches to address 360 browser vulnerabilities, which is an order of magnitude more than has been typical in any given month over the past few years. As usual, browser vulns are not included in the Patch Tuesday count above. Indeed, the vast, and presumably sustained, uptick in the number of browser vulnerabilities has led to Microsoft no longer enumerating Chromium CVEs in the Security Update G
Bleepingcomputer
New 'HTTP/2 Bomb' DoS attack crashes web servers in under a minute
blogs_bleepingcomputer·2026-06-03
CVE-2026-49975 New 'HTTP/2 Bomb' DoS attack crashes web servers in under a minute
## New 'HTTP/2 Bomb' DoS attack crashes web servers in under a minute
## Bill Toulas
A new denial-of-service (DoS) attack dubbed HTTP/2 Bomb can be launched from a single machine to take down web servers within seconds.
The technique works on default HTTP/2 configurations of major web servers, including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora.
Discovered by OpenAI's Codex software agent under the guidance of researchers at offensive security firm Calif, HTTP/2 Bomb combines two previously known HTTP/2 DoS methods: the HPACK compression amplification and Slowloris-style resource retention via HTTP/2 flow-control stalling.
When combined, a single client on a 100 Mbps connection can exhaust tens of gigabytes of RAM within seconds, forcing the server to all
https://httpd.apache.org/security/vulnerabilities_24.htmlhttp://www.openwall.com/lists/oss-security/2026/06/03/3http://www.openwall.com/lists/oss-security/2026/06/08/16https://lists.debian.org/debian-lts-announce/2026/06/msg00009.htmlhttps://access.redhat.com/errata/RHSA-2026:25042https://access.redhat.com/errata/RHSA-2026:25057https://access.redhat.com/errata/RHSA-2026:25090https://access.redhat.com/errata/RHSA-2026:25225https://access.redhat.com/errata/RHSA-2026:27114https://access.redhat.com/errata/RHSA-2026:27200https://access.redhat.com/errata/RHSA-2026:27201https://access.redhat.com/security/cve/CVE-2026-49975https://bugzilla.redhat.com/show_bug.cgi?id=2485371https://github.com/EQSTLab/CVE-2026-49975https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49975.json
2026-06-08
Published