CVE-2026-49975
Apache HTTP Server: mod_http2 denial of service
Description
Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.
INFO
Published Date :
June 8, 2026, 4:16 p.m.
Last Modified :
June 10, 2026, 7:36 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
Affected Products
The following products are affected by CVE-2026-49975
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
Solution
- Apply the latest security patch for Apache HTTP Server.
- Upgrade to a fixed version of Apache HTTP Server.
- Review HTTP request handling for resource exhaustion.
Public PoC/Exploit Available at Github
CVE-2026-49975 has a 19 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-49975.
| URL | Resource |
|---|---|
| https://httpd.apache.org/security/vulnerabilities_24.html | Vendor Advisory |
| http://www.openwall.com/lists/oss-security/2026/06/03/3 | Mailing List Third Party Advisory |
| http://www.openwall.com/lists/oss-security/2026/06/08/16 | Mailing List Third Party Advisory |
| https://lists.debian.org/debian-lts-announce/2026/06/msg00009.html | Mailing List Third Party Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-49975 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-49975
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
CSS Dockerfile JavaScript Python Shell HTML
争对2026-49975漏洞所创作的普罗米修斯附属模组,但模组本体可以独立运行。改模组底层逻辑可以视为泛洪攻击
Python Batchfile Shell JavaScript CSS HTML
HTTP2-Bomb
Python Dockerfile
None
Shell
None
Python
HTTP/2 Bomb (CVE-2026-49975) non-destructive vulnerability detector for Nginx / Apache httpd. Zero-dependency Python.
Python
HTTP/2 Bomb: HPACK indexed-reference amplification + flow-control stall. A high school student's full protocol analysis (LaTeX). CVE-2026-49975, CVE-2026-47774.
http2-bomb amplification-attack dos-attack hpack http2 security-research vulnerability web-security cve-2026-47774 cve-2026-49975
TeX
HTTP2-Bomb
Disclosed on June 3, 2026, the "HTTP/2 Bomb" is an unauthenticated remote DoS that combines an HPACK compression bomb with a Slowloris-style hold to exhaust server memory. It affects default HTTP/2 configurations of **nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora**.
Shell
None
Shell
None
Python
Know when a CVE can actually be remediated in Red Hat Satellite.
Python
AI-authored YARA + Snort/Suricata detection rules for current malware campaigns and vulnerabilities. Each rule ships with reproducible specimens, structurally-similar benign cases, and a test transcript.
Python YARA JavaScript HTML Batchfile
None
Ruby
CVE-2026-49975 HTTP/2 Stream Amplification — Docker PoC with Web Console
Dockerfile Python HTML
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-49975 vulnerability anywhere in the article.
-
The Hacker News
ThreatsDay Bulletin: Claude Chat Abuse, NastyC2 npm Packages, Device-Code Phishing + 25 More Stories
The internet did not break this week. It got used exactly as designed, which is worse.Searches were siphoned through shady browser add-ons. AI chat links turned into malware delivery paths. macOS atta ... Read more
The following table lists the changes that have been made to the
CVE-2026-49975 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Jun. 10, 2026
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* *cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:* versions up to (excluding) 1.29.8 *cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* versions from (including) 2.4.17 up to (excluding) 2.4.68 Added Reference Type CVE: http://www.openwall.com/lists/oss-security/2026/06/03/3 Types: Mailing List, Third Party Advisory Added Reference Type CVE: http://www.openwall.com/lists/oss-security/2026/06/08/16 Types: Mailing List, Third Party Advisory Added Reference Type Apache Software Foundation: https://httpd.apache.org/security/vulnerabilities_24.html Types: Vendor Advisory Added Reference Type CVE: https://lists.debian.org/debian-lts-announce/2026/06/msg00009.html Types: Mailing List, Third Party Advisory -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jun. 09, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jun. 08, 2026
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2026/06/08/16 -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jun. 08, 2026
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2026/06/03/3 Added Reference https://lists.debian.org/debian-lts-announce/2026/06/msg00009.html -
New CVE Received by [email protected]
Jun. 08, 2026
Action Type Old Value New Value Added Description Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67. Added CWE CWE-789 Added Reference https://httpd.apache.org/security/vulnerabilities_24.html