CVE-2026-49975

HIGHPre-NVD 7.57.5
EchelonGraph scoreHIGH confidence

Score 7.5 from GitHub Security Advisory (severity: HIGH) published 2026-06-08. CISA-ADP (Vulnrichment) CVSS v3.1 baseline 7.5; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: cisa-adp, epss, ghsa
Trending — 4 sources updated this weekElevated
7.5
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 11%CVSS: 7.5Exploit: NoneExposed: 0

A fix is available — apply it.

Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests.

This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.

CVSS v3
7.5
EG Score
7.5(high)
EPSS
95.5%
KEV
Not listed

Published

June 8, 2026

Last Modified

June 30, 2026

Advisory Details (4)

Auto-updated Jun 10, 2026
⚠️ Active exploitation confirmed. Patch available.
generic Patch Available

[SECURITY] [DLA 4620-1] apache2 security update

https://lists.debian.org/debian-lts-announce/2026/06/msg00009.html
generic

oss-security - CVE-2026-49975: Apache HTTP Server: mod_http2 denial of service

http://www.openwall.com/lists/oss-security/2026/06/08/16
generic Patch Available

oss-security - HTTP/2 Bomb affects Apache httpd, nginx, envoy, & pingora

http://www.openwall.com/lists/oss-security/2026/06/03/3
generic Patch Available🔴 Active Exploitation

Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project

https://httpd.apache.org/security/vulnerabilities_24.html

Patch Availability(11)

Vendor / EcosystemFixed in / PatchReleasedSource
ubuntuapache2-utils (2.4.66-2ubuntu2.2) @ resolute2026-07-05ubuntu
ubuntunginx-light (1.28.0-6ubuntu1.5) @ questing2026-07-05ubuntu
ubuntunginx-light (1.24.0-2ubuntu7.12) @ noble2026-07-05ubuntu
ubuntunginx-light (1.10.3-0ubuntu0.16.04.5+esm9) @ xenial2026-07-05ubuntu
redhatjbcs-httpd24-mod_http2-0:2.0.29-10.el7jbcs2026-06-22redhat
redhatjbcs-httpd24-mod_http22026-06-22redhat
redhatopenshift-service-mesh/proxyv2-rhel9:17816047242026-06-18redhat
redhatmod_http2-0:2.0.29-4.el10_2.12026-06-11redhat
redhathttpd-main-2.4.68-1.hum12026-06-10redhat
redhathttpd:2.4-8100020260608081321.489197e62026-06-10redhat
redhatmod_http2-0:2.0.26-6.el9_8.12026-06-10redhat

Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.

Weakness Classification(2)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Additional Vendor Advisories

(4)

Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.

Data Freshness Timeline

(refreshed 35× in last 7d / 183× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

Showing the most recent 100 of 183 total refreshes for this CVE.

  1. 2026-07-06 16:27 UTCEPSS rescore
  2. 2026-07-05 17:38 UTCEG score recompute
  3. 2026-07-05 17:38 UTCVendor advisory
  4. 2026-07-05 17:38 UTCGHSA enrichment
  5. 2026-07-05 02:30 UTCEPSS rescore
  6. 2026-07-04 15:03 UTCEG score recompute
  7. 2026-07-04 15:03 UTCVendor advisory
  8. 2026-07-04 15:02 UTCGHSA enrichment
  9. 2026-07-04 06:31 UTCEPSS rescore
  10. 2026-07-03 20:35 UTCEG score recompute
  11. 2026-07-03 20:35 UTCVendor advisory
  12. 2026-07-03 20:34 UTCGHSA enrichment
  13. 2026-07-03 09:26 UTCEG score recompute
  14. 2026-07-03 09:26 UTCVendor advisory
  15. 2026-07-03 09:26 UTCGHSA enrichment
  16. 2026-07-02 16:42 UTCEG score recompute
  17. 2026-07-02 16:42 UTCVendor advisory
  18. 2026-07-02 16:42 UTCGHSA enrichment
  19. 2026-07-02 05:16 UTCEG score recompute
  20. 2026-07-02 05:16 UTCVendor advisory
  21. 2026-07-02 05:16 UTCGHSA enrichment
  22. 2026-07-01 18:08 UTCEG score recompute
  23. 2026-07-01 18:08 UTCVendor advisory
  24. 2026-07-01 18:08 UTCGHSA enrichment
  25. 2026-07-01 15:07 UTCEPSS rescore
Show 75 more
  1. 2026-07-01 06:55 UTCEG score recompute
  2. 2026-07-01 06:55 UTCVendor advisory
  3. 2026-07-01 06:55 UTCGHSA enrichment
  4. 2026-06-30 23:22 UTCEPSS rescore
  5. 2026-06-30 18:30 UTCEG score recompute
  6. 2026-06-30 18:30 UTCVendor advisory
  7. 2026-06-30 18:30 UTCGHSA enrichment
  8. 2026-06-30 07:22 UTCEG score recompute
  9. 2026-06-30 07:22 UTCVendor advisory
  10. 2026-06-30 07:22 UTCGHSA enrichment
  11. 2026-06-29 19:20 UTCEG score recompute
  12. 2026-06-29 19:20 UTCVendor advisory
  13. 2026-06-29 19:20 UTCGHSA enrichment
  14. 2026-06-29 08:13 UTCEG score recompute
  15. 2026-06-29 08:13 UTCVendor advisory
  16. 2026-06-29 08:13 UTCGHSA enrichment
  17. 2026-06-28 20:33 UTCEG score recompute
  18. 2026-06-28 20:33 UTCVendor advisory
  19. 2026-06-28 20:33 UTCGHSA enrichment
  20. 2026-06-28 09:26 UTCEG score recompute
  21. 2026-06-28 09:26 UTCVendor advisory
  22. 2026-06-28 09:26 UTCGHSA enrichment
  23. 2026-06-28 04:56 UTCEPSS rescore
  24. 2026-06-28 04:56 UTCEPSS rescore
  25. 2026-06-27 22:17 UTCEG score recompute
  26. 2026-06-27 22:17 UTCVendor advisory
  27. 2026-06-27 22:17 UTCGHSA enrichment
  28. 2026-06-27 11:03 UTCEG score recompute
  29. 2026-06-27 11:03 UTCVendor advisory
  30. 2026-06-27 11:03 UTCGHSA enrichment
  31. 2026-06-27 03:08 UTCEPSS rescore
  32. 2026-06-26 23:56 UTCEG score recompute
  33. 2026-06-26 23:56 UTCVendor advisory
  34. 2026-06-26 23:55 UTCGHSA enrichment
  35. 2026-06-26 12:48 UTCEG score recompute
  36. 2026-06-26 12:48 UTCVendor advisory
  37. 2026-06-26 12:48 UTCGHSA enrichment
  38. 2026-06-25 23:50 UTCEG score recompute
  39. 2026-06-25 23:50 UTCVendor advisory
  40. 2026-06-25 23:50 UTCGHSA enrichment
  41. 2026-06-25 13:49 UTCEPSS rescore
  42. 2026-06-25 12:44 UTCEG score recompute
  43. 2026-06-25 12:44 UTCVendor advisory
  44. 2026-06-25 12:44 UTCGHSA enrichment
  45. 2026-06-25 01:37 UTCEG score recompute
  46. 2026-06-25 01:37 UTCVendor advisory
  47. 2026-06-25 01:37 UTCGHSA enrichment
  48. 2026-06-24 14:31 UTCEG score recompute
  49. 2026-06-24 14:31 UTCVendor advisory
  50. 2026-06-24 14:31 UTCGHSA enrichment
  51. 2026-06-24 14:05 UTCEPSS rescore
  52. 2026-06-24 03:24 UTCEG score recompute
  53. 2026-06-24 03:24 UTCVendor advisory
  54. 2026-06-24 03:24 UTCGHSA enrichment
  55. 2026-06-23 21:33 UTCEPSS rescore
  56. 2026-06-23 21:33 UTCEPSS rescore
  57. 2026-06-23 16:04 UTCEG score recompute
  58. 2026-06-23 16:04 UTCVendor advisory
  59. 2026-06-23 16:03 UTCGHSA enrichment
  60. 2026-06-22 22:46 UTCEG score recompute
  61. 2026-06-22 22:46 UTCVendor advisory
  62. 2026-06-22 22:46 UTCGHSA enrichment
  63. 2026-06-22 14:25 UTCEPSS rescore
  64. 2026-06-22 14:25 UTCEPSS rescore
  65. 2026-06-22 05:47 UTCEG score recompute
  66. 2026-06-22 05:47 UTCVendor advisory
  67. 2026-06-22 05:46 UTCGHSA enrichment
  68. 2026-06-21 14:56 UTCEPSS rescore
  69. 2026-06-21 14:56 UTCEPSS rescore
  70. 2026-06-21 11:00 UTCEG score recompute
  71. 2026-06-21 11:00 UTCVendor advisory
  72. 2026-06-21 11:00 UTCGHSA enrichment
  73. 2026-06-21 01:59 UTCEPSS rescore
  74. 2026-06-21 01:59 UTCEPSS rescore
  75. 2026-06-20 21:52 UTCEG score recompute

Publicly available exploits

(9 references)

Working exploit code is in the public domain (9 GitHub PoCs). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.

  • GitHub PoCadminlove520/http2-bomb-detector
    First seen Jun 13, 2026

    HTTP/2 Bomb (CVE-2026-49975) non-destructive vulnerability detector for Nginx / Apache httpd. Zero-dependency Python.

    Open source ↗
  • GitHub PoCmindcodings/http2-bomb-detector
    First seen Jun 13, 2026

    HTTP/2 Bomb (CVE-2026-49975) non-destructive vulnerability detector for Nginx / Apache httpd. Zero-dependency Python.

    Open source ↗
  • GitHub PoCEQSTLab/CVE-2026-49975
    First seen Jun 10, 2026

    HTTP2-Bomb

    Open source ↗
  • GitHub PoCLSG-PolarBear/CVE-2026-49975
    First seen Jun 10, 2026

    CVE-2026-49975漏洞复现

    Open source ↗
  • GitHub PoCLiaoZiqi-GZFLS/CVE-2026-49975
    First seen Jun 10, 2026

    CVE-2026-49975

    Open source ↗
  • GitHub PoCrenzi25031469/CVE-2026-49975-HTTP-2-Bomb
    First seen Jun 8, 2026

    Disclosed on June 3, 2026, the "HTTP/2 Bomb" is an unauthenticated remote DoS that combines an HPACK compression bomb with a Slowloris-style hold to exhaust server memory. It affects default HTTP/2 configurations of **nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora**.

    Open source ↗
  • GitHub PoCobrige/http2-bomb
    First seen Jun 5, 2026

    CVE-2026-49975 HTTP/2 Stream Amplification — Docker PoC with Web Console

    Open source ↗
  • GitHub PoCmrx-arafat/CVE-2026-49975-POC
    First seen Jun 4, 2026

    HTTP/2 Bomb PoC — CVE-2026-49975 (HPACK indexed reference bomb + flow-control stall)

    Open source ↗
  • GitHub PoCfevar54/Proof-of-Concept-POC---CVE-2026-49975-HTTP-2-Bomb-
    First seen Jun 3, 2026

    Este repositorio contiene un Proof of Concept (POC) para CVE-2026-49975, también conocida como HTTP/2 Bomb, una vulnerabilidad de denegación de servicio (DoS) remoto que afecta a la mayoría de los servidores web principales en su configuración HTTP/2 predeterminada, incluyendo:

    Open source ↗

Frequently asked(5)

What is CVE-2026-49975?
CVE-2026-49975 is a high vulnerability published on June 8, 2026. Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.
When was CVE-2026-49975 disclosed?
CVE-2026-49975 was first published in the National Vulnerability Database on June 8, 2026, with the most recent update on June 30, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-49975 actively exploited?
CVE-2026-49975 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 95.5% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-49975?
CVE-2026-49975 has a CVSS v3.1 base score of 7.5 (CISA-ADP / Vulnrichment enrichment; NVD's own analysis pending).
How do I remediate CVE-2026-49975?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-49975, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-49975

Explore →

Is Your Infrastructure Affected by CVE-2026-49975?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.