CVE-2026-49975 | THREATINT

Description

Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.

PUBLISHED Reserved 2026-06-02 | Published 2026-06-08 | Updated 2026-06-08 | Assigner apache

Problem types

CWE-789 Memory Allocation with Excessive Size Value

Product status

Default status

unaffected

2.4.17 (semver)

affected

Timeline

2026-05-26:	reported
2026-05-27:	fixed upstream in mod_h2 https://github.com/icing/mod_h2/commit/35c6e405390ed361189a82acd96675401ea5947c
2026-06-02:	fixed in 2.4.x by r1934882
2026-06-08:	2.4.68 released

Credits

Quang Luong of Calif.IO in collaboration with OpenAI Codex finder

References

www.openwall.com/lists/oss-security/2026/06/03/3

lists.debian.org/debian-lts-announce/2026/06/msg00009.html

www.openwall.com/lists/oss-security/2026/06/08/16

httpd.apache.org/security/vulnerabilities_24.html vendor-advisory

cve.org (CVE-2026-49975)

nvd.nist.gov (CVE-2026-49975)

Download JSON