Description
Use After Free vulnerability in Apache HTTP Server module mod_http2 when file handles are already exhausted.

This issue affects Apache HTTP Server: from 2.4.55 through 2.4.67.
Published: 2026-06-08
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free in the mod_http2 module that occurs when the server has already exhausted its file handles. The resulting memory corruption can allow an attacker to manipulate internal data structures, potentially leading to arbitrary code execution or denial of service.

Affected Systems

The flaw is present in Apache HTTP Server versions 2.4.55 through 2.4.67, all available from the Apache Software Foundation.

Risk and Exploitability

The exploit requires the attacker to force the server into a state where file handles are fully consumed, and then send crafted HTTP/2 traffic that triggers the use‑after‑free. While the EPSS score is unavailable and the vulnerability is not listed in CISA KEV, the lack of a public exploit combined with the potential for remote code execution suggests a high risk. The CVSS score is 7.3, indicating a high severity, but the memory corruption indicates a serious threat if mitigated quickly.

Generated by OpenCVE AI on June 8, 2026 at 20:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an Apache HTTP Server update to a version newer than 2.4.67.
  • If the update cannot be performed immediately, disable the mod_http2 module or configure limits to prevent file handle exhaustion.
  • Monitor the server for signs of memory corruption or crashes in the mod_http2 module and investigate any anomalies.

Generated by OpenCVE AI on June 8, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4629-1 apache2 security update
History

Wed, 10 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

Mon, 08 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
References

Mon, 08 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache http Server
Vendors & Products Apache
Apache http Server

Mon, 08 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Use After Free vulnerability in Apache HTTP Server module mod_http2 when file handles are already exhausted. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.67.
Title Apache HTTP Server: mod_http2 memory corruption when file handles exhausted
Weaknesses CWE-416
References

Subscriptions

Apache Http Server
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-08T22:32:34.557Z

Reserved: 2026-05-26T12:46:05.340Z

Link: CVE-2026-48913

cve-icon Vulnrichment

Updated: 2026-06-08T22:32:34.557Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-08T16:16:43.390

Modified: 2026-06-10T19:31:10.350

Link: CVE-2026-48913

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T20:45:32Z

Weaknesses