Description
Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests.

This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.
Published: 2026-06-08
Score: 7.5 High
EPSS: 9.8% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the mod_http component of Apache HTTP Server, an attacker can send a malicious HTTP request that requests an excessively large size value, forcing the server to allocate an unusually large amount of memory and potentially exhaust resources, thereby denying service to legitimate users. The flaw is identified as CWE‑409 (Uncontrolled Memory Allocation) and CWE‑789 (Inadequate Validation of Resource Limits).

Affected Systems

The flaw affects Apache Software Foundation’s Apache HTTP Server versions 2.4.17 through 2.4.67; any deployment running one of these versions that receives HTTP requests is susceptible unless the issue has been fixed by a patch or upgraded to a later release.

Risk and Exploitability

The CVSS score of 7.5 categorizes this as a high‑severity issue; the EPSS score of 10% indicates a moderate probability of exploitation, and it is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker can trigger the vulnerability remotely by sending a crafted HTTP request to a publicly reachable server, with no special privileges required, thereby executing a straightforward network‑based denial‑of‑service attack.

Generated by OpenCVE AI on June 24, 2026 at 12:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Apache HTTP Server release that fixes the excessive size allocation flaw (addressing CWE‑409 and CWE‑789).
  • If an upgrade is not immediately possible, configure request limits such as LimitRequestBody, RequestReadTimeout, and mod_reqtimeout to enforce sane boundaries and guard against uncontrolled memory allocation (CWE‑409).
  • Enable or tune connection timeout and traffic shaping mechanisms (e.g., Timeout, mod_reqtimeout, or firewall rules) to prevent long‑running requests from exhausting resources, mitigating inadequate resource limit validation (CWE‑789).
  • Apply rate limiting or firewall rules to cap traffic volume and protect against DoS triggers.

Generated by OpenCVE AI on June 24, 2026 at 12:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4620-1 apache2 security update
Debian DSA Debian DSA DSA-6323-1 apache2 security update
Ubuntu USN Ubuntu USN USN-8398-1 nginx vulnerability
Ubuntu USN Ubuntu USN USN-8398-3 nginx vulnerability
History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Debian
Debian debian Linux
F5
F5 nginx
CPEs cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Vendors & Products Debian
Debian debian Linux
F5
F5 nginx

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache http Server
Vendors & Products Apache
Apache http Server

Mon, 08 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
References

Mon, 08 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
References

Mon, 08 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in HTTP/2, affecting various web servers. A remote attacker can exploit this vulnerability by combining an HPACK compression bomb with a zero-byte flow-control window. This technique allows a small amount of data to expand into large memory allocations on the server, which are then held, leading to a denial of service (DoS) by rendering the server inaccessible. Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.
Title httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack Apache HTTP Server: mod_http2 denial of service
Weaknesses CWE-789
References

Sat, 06 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in HTTP/2, affecting various web servers. A remote attacker can exploit this vulnerability by combining an HPACK compression bomb with a zero-byte flow-control window. This technique allows a small amount of data to expand into large memory allocations on the server, which are then held, leading to a denial of service (DoS) by rendering the server inaccessible.
Title httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack
Weaknesses CWE-409
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important

Subscriptions

Apache Http Server
Debian Debian Linux
F5 Nginx
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-18T10:29:04.207Z

Reserved: 2026-06-02T17:20:37.983Z

Link: CVE-2026-49975

cve-icon Vulnrichment

Updated: 2026-06-08T22:32:35.729Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-08T16:16:44.223

Modified: 2026-06-10T19:36:37.510

Link: CVE-2026-49975

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-03T00:00:00Z

Links: CVE-2026-49975 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:15:05Z

Weaknesses
  • CWE-409

    Improper Handling of Highly Compressed Data (Data Amplification)

  • CWE-789

    Memory Allocation with Excessive Size Value