Home

Description

Use After Free vulnerability in Apache HTTP Server module mod_http2 when file handles are already exhausted. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.67.

PUBLISHED Reserved 2026-05-26 | Published 2026-06-08 | Updated 2026-06-08 | Assigner apache

Problem types

CWE-416 Use After Free

Product status

Default status
unaffected

2.4.55 (semver)
affected

Timeline

2026-05-22:reported
2026-06-03:fixed in 2.4.x by r1934882
2026-06-08:2.4.68 released

Credits

Sam Lovejoy, IBM X-Force Offensive Research (XOR) finder

References

www.openwall.com/lists/oss-security/2026/06/08/15

httpd.apache.org/security/vulnerabilities_24.html vendor-advisory

cve.org (CVE-2026-48913)

nvd.nist.gov (CVE-2026-48913)

Download JSON