Description
Use After Free vulnerability in Apache HTTP Server module mod_http2 when file handles are already exhausted.

This issue affects Apache HTTP Server: from 2.4.55 through 2.4.67.
Published: 2026-06-08
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free in the mod_http2 module that occurs when the server has already exhausted its file handles. The resulting memory corruption can allow an attacker to manipulate internal data structures, potentially leading to arbitrary code execution or denial of service.

Affected Systems

The flaw is present in Apache HTTP Server versions 2.4.55 through 2.4.67, all available from the Apache Software Foundation.

Risk and Exploitability

The exploit requires the attacker to force the server into a state where file handles are fully consumed, and then send crafted HTTP/2 traffic that triggers the use‑after‑free. While the current EPSS score is unavailable and the vulnerability is not listed in CISA KEV, the lack of a public exploit combined with the potential for remote code execution suggests a high risk. The CVSS score is not provided, so the exact severity is unknown, but the memory corruption indicates a serious threat if mitigated quickly.

Generated by OpenCVE AI on June 8, 2026 at 16:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an Apache HTTP Server update to a version newer than 2.4.67.
  • If the update cannot be performed immediately, disable the mod_http2 module or configure limits to prevent file handle exhaustion.
  • Monitor the server for signs of memory corruption or crashes in the mod_http2 module and investigate any anomalies.

Generated by OpenCVE AI on June 8, 2026 at 16:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Use After Free vulnerability in Apache HTTP Server module mod_http2 when file handles are already exhausted. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.67.
Title Apache HTTP Server: mod_http2 memory corruption when file handles exhausted
Weaknesses CWE-416
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-08T15:24:52.573Z

Reserved: 2026-05-26T12:46:05.340Z

Link: CVE-2026-48913

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-08T16:16:43.390

Modified: 2026-06-08T16:16:43.390

Link: CVE-2026-48913

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T16:45:26Z

Weaknesses