CVE-2017-9789
Description
When under stress, closing many connections, the HTTP/2 handling code in Apache httpd 2.4.26 would sometimes access memory after it has been freed, resulting in potentially erratic behaviour.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache HTTP Server 2.4.26 is vulnerable to a use-after-free in its HTTP/2 connection handling, which can cause erratic behavior under stress.
Vulnerability
Apache HTTP Server version 2.4.26 contains a use-after-free vulnerability in its HTTP/2 handling code. Under high stress conditions, when many connections are being closed simultaneously, the server may access memory after it has been freed, leading to potentially erratic behavior [1][2].
Exploitation
An attacker capable of establishing multiple HTTP/2 connections and triggering rapid closure of those connections can induce the race condition. No specific authentication or special network position beyond the ability to send HTTP/2 requests is required. The exploit requires the server to be under sufficient load to trigger the race window [2][3].
Impact
Successful exploitation can lead to unpredictable behavior, including denial of service or potential memory corruption. The official description notes "potentially erratic behaviour," which may include crashes or information exposure. The vulnerability is rated High with a CVSS v3 base score of 7.5 [1][2].
Mitigation
A fix is included in Apache HTTP Server version 2.4.27 and later. Users are advised to update to the latest stable release immediately. For example, Gentoo users should upgrade to www-servers/apache-2.4.27-r1 or later [3]. No workaround is known, as the issue resides in the core HTTP/2 module [2][3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9- cpe:2.3:a:apache:http_server:2.4.26:*:*:*:*:*:*:*
- osv-coords7 versionspkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20Raspberry%20Pi%2012%20SP2pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3
< 2.4.23-29.13.1+ 6 more
- (no CPE)range: < 2.4.23-29.13.1
- (no CPE)range: < 2.4.23-29.13.1
- (no CPE)range: < 2.4.23-29.13.1
- (no CPE)range: < 2.4.23-29.13.1
- (no CPE)range: < 2.4.23-29.13.1
- (no CPE)range: < 2.4.23-29.13.1
- (no CPE)range: < 2.4.23-29.13.1
- Apache Software Foundation/Apache HTTP Serverv5Range: 2.4.26
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
22- www.securityfocus.com/bid/99568nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1038907nvdThird Party AdvisoryVDB Entry
- httpd.apache.org/security/vulnerabilities_24.htmlnvdRelease NotesVendor Advisory
- lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/9d0098775bd83cf7c33ac5a077ef412c14ce939198921e639c734e20%40%3Cannounce.httpd.apache.org%3Envd
- lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3Envd
- security.gentoo.org/glsa/201710-32nvd
- security.netapp.com/advisory/ntap-20170911-0002/nvd
- support.apple.com/HT208221nvd
- support.hpe.com/hpsc/doc/public/displaynvd
News mentions
0No linked articles in our index yet.