Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests.
This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.
Score 7.5 from GitHub Security Advisory (severity: HIGH) published 2026-06-08. CISA-ADP (Vulnrichment) CVSS v3.1 baseline 7.5; sources differ by 0.0.
A fix is available — apply it.
Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests.
This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.
June 8, 2026
June 30, 2026
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Red Hat Security Advisory: Red Hat JBoss Core Services Apache HTTP Server 2.4.62 SP4 security update
Red Hat Security Advisory: Red Hat JBoss Core Services Apache HTTP Server 2.4.62 SP4 security update
Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.6.17
Red Hat Security Advisory: mod_http2 security update
Red Hat Security Advisory: httpd:2.4 security update
Red Hat Security Advisory: mod_http2 security update
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
Apache HTTP Server: mod_http2 denial of service
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| ubuntu | apache2-utils (2.4.66-2ubuntu2.2) @ resolute | 2026-07-05 | ubuntu |
| ubuntu | nginx-light (1.28.0-6ubuntu1.5) @ questing | 2026-07-05 | ubuntu |
| ubuntu | nginx-light (1.24.0-2ubuntu7.12) @ noble | 2026-07-05 | ubuntu |
| ubuntu | nginx-light (1.10.3-0ubuntu0.16.04.5+esm9) @ xenial | 2026-07-05 | ubuntu |
| redhat | jbcs-httpd24-mod_http2-0:2.0.29-10.el7jbcs | 2026-06-22 | redhat |
| redhat | jbcs-httpd24-mod_http2 | 2026-06-22 | redhat |
| redhat | openshift-service-mesh/proxyv2-rhel9:1781604724 | 2026-06-18 | redhat |
| redhat | mod_http2-0:2.0.29-4.el10_2.1 | 2026-06-11 | redhat |
| redhat | httpd-main-2.4.68-1.hum1 | 2026-06-10 | redhat |
| redhat | httpd:2.4-8100020260608081321.489197e6 | 2026-06-10 | redhat |
| redhat | mod_http2-0:2.0.26-6.el9_8.1 | 2026-06-10 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Showing the most recent 100 of 183 total refreshes for this CVE.
Working exploit code is in the public domain (9 GitHub PoCs). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
HTTP/2 Bomb (CVE-2026-49975) non-destructive vulnerability detector for Nginx / Apache httpd. Zero-dependency Python.
Open source ↗HTTP/2 Bomb (CVE-2026-49975) non-destructive vulnerability detector for Nginx / Apache httpd. Zero-dependency Python.
Open source ↗HTTP2-Bomb
Open source ↗CVE-2026-49975漏洞复现
Open source ↗CVE-2026-49975
Open source ↗Disclosed on June 3, 2026, the "HTTP/2 Bomb" is an unauthenticated remote DoS that combines an HPACK compression bomb with a Slowloris-style hold to exhaust server memory. It affects default HTTP/2 configurations of **nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora**.
Open source ↗CVE-2026-49975 HTTP/2 Stream Amplification — Docker PoC with Web Console
Open source ↗HTTP/2 Bomb PoC — CVE-2026-49975 (HPACK indexed reference bomb + flow-control stall)
Open source ↗Este repositorio contiene un Proof of Concept (POC) para CVE-2026-49975, también conocida como HTTP/2 Bomb, una vulnerabilidad de denegación de servicio (DoS) remoto que afecta a la mayoría de los servidores web principales en su configuración HTTP/2 predeterminada, incluyendo:
Open source ↗Explore the affected products and dependency analysis for CVE-2026-49975
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.