Use After Free vulnerability in Apache HTTP Server module mod_http2 when file handles are already exhausted.
This issue affects Apache HTTP Server: from 2.4.55 through 2.4.67.
Score 7.3 from GitHub Security Advisory (severity: HIGH) published 2026-06-08. CISA-ADP (Vulnrichment) CVSS v3.1 baseline 7.3; sources differ by 0.0.
A fix is available — apply it.
Use After Free vulnerability in Apache HTTP Server module mod_http2 when file handles are already exhausted.
This issue affects Apache HTTP Server: from 2.4.55 through 2.4.67.
June 8, 2026
June 10, 2026
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Red Hat Security Advisory: mod_http2 security, bug fix, and enhancement update
Apache HTTP Server: mod_http2 memory corruption when file handles exhausted
Use After Free vulnerability in Apache HTTP Server module mod_http2 when file handles are already...
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| redhat | mod_http2-0:2.0.29-4.el10_2.2 | 2026-07-01 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Showing the most recent 100 of 131 total refreshes for this CVE.
redhat
CWE-416
Explore the affected products and dependency analysis for CVE-2026-48913
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.