CVE-2026-48913
Description
Apache HTTP Server mod_http2 Use-After-Free vulnerability when file handles are exhausted affects versions 2.4.55 through 2.4.67.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache HTTP Server mod_http2 Use-After-Free vulnerability when file handles are exhausted affects versions 2.4.55 through 2.4.67.
Vulnerability
A Use-After-Free vulnerability exists in the mod_http2 module of Apache HTTP Server when file handles are exhausted. This issue affects Apache HTTP Server versions from 2.4.55 through 2.4.67 [1].
Exploitation
Exploitation details are not yet disclosed in the available references. An attacker would likely need to trigger a specific condition related to file handle exhaustion within the mod_http2 module to trigger the vulnerability [1].
Impact
Details regarding the specific impact of this Use-After-Free vulnerability are not yet disclosed in the available references. However, Use-After-Free vulnerabilities can often lead to denial-of-service conditions or arbitrary code execution, depending on the context [1].
Mitigation
Apache HTTP Server version 2.4.68, released on 2026-06-08, fixes this issue [1]. Users are recommended to upgrade to version 2.4.68 or later. No workarounds are mentioned in the available references [1].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: 2.4.55 - 2.4.67
Patches
135c6e405390ecookie reqest header counting (#324)
1 file changed · +4 −0
mod_http2/h2_util.c+4 −0 modified@@ -1708,6 +1708,8 @@ static apr_status_t req_add_header(apr_table_t *headers, apr_pool_t *pool, && !ap_cstr_casecmpn("cookie", (const char *)nv->name, nv->namelen)) { existing = apr_table_get(headers, "cookie"); if (existing) { + if (!nv->valuelen) + return APR_SUCCESS; /* Cookie header come separately in HTTP/2, but need * to be merged by "; " (instead of default ", ") */ @@ -1719,6 +1721,8 @@ static apr_status_t req_add_header(apr_table_t *headers, apr_pool_t *pool, apr_table_setn(headers, "Cookie", apr_psprintf(pool, "%s; %.*s", existing, (int)nv->valuelen, nv->value)); + /* Treat the merge as an "add" to not escape LimitRequestFields */ + *pwas_added = 1; return APR_SUCCESS; } }
Vulnerability mechanics
Root cause
"The module does not correctly account for merged cookie headers when file handles are exhausted, leading to a use-after-free condition."
Attack vector
An attacker can trigger this vulnerability by sending multiple HTTP/2 requests with the same cookie header. The module attempts to merge these headers, but if file handles are exhausted during this process, it can lead to a use-after-free vulnerability. This can be exploited by carefully crafted requests that exhaust available file handles before the cookie header merge operation completes.
Affected code
The vulnerability resides in the `req_add_header` function within the file `mod_http2/h2_util.c`.
What the fix does
The patch modifies the `req_add_header` function in `mod_http2/h2_util.c`. It now correctly accounts for merged cookie headers by treating them as an 'add' operation, ensuring that `LimitRequestFields` remains effective. Additionally, it handles cases where cookie values might be empty, preventing potential issues during the merging process and thus mitigating the use-after-free vulnerability.
Preconditions
- configThe Apache HTTP Server must be configured to use the mod_http2 module.
- inputThe server must be under conditions where file handles are exhausted.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
1- Apache HTTP Server: 11 Vulnerabilities Disclosed, Including DoS and Memory Corruption FlawsVypr Intelligence · Jun 8, 2026