High severity7.5NVD Advisory· Published Jun 8, 2026· Updated Jun 10, 2026
CVE-2026-49975
CVE-2026-49975
Description
Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests.
This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
15cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*range: >=2.4.17,<2.4.68
- (no CPE)range: 2.4.17 - 2.4.67
- osv-coords12 versionspkg:bitnami/apachepkg:rpm/almalinux/httpdpkg:rpm/almalinux/httpd-develpkg:rpm/almalinux/httpd-filesystempkg:rpm/almalinux/httpd-manualpkg:rpm/almalinux/httpd-toolspkg:rpm/almalinux/mod_http2pkg:rpm/almalinux/mod_ldappkg:rpm/almalinux/mod_mdpkg:rpm/almalinux/mod_proxy_htmlpkg:rpm/almalinux/mod_sessionpkg:rpm/almalinux/mod_ssl
>= 2.4.17, < 2.4.68+ 11 more
- (no CPE)range: >= 2.4.17, < 2.4.68
- (no CPE)range: < 2.4.37-65.module_el8.10.0+4185+0955a0d7.8
- (no CPE)range: < 2.4.37-65.module_el8.10.0+4185+0955a0d7.8
- (no CPE)range: < 2.4.37-65.module_el8.10.0+4185+0955a0d7.8
- (no CPE)range: < 2.4.37-65.module_el8.10.0+4185+0955a0d7.8
- (no CPE)range: < 2.4.37-65.module_el8.10.0+4185+0955a0d7.8
- (no CPE)range: < 2.0.26-6.el9_8.1
- (no CPE)range: < 2.4.37-65.module_el8.10.0+4185+0955a0d7.8
- (no CPE)range: < 1:2.0.8-8.module_el8.10.0+4088+57f011c1.2
- (no CPE)range: < 1:2.4.37-65.module_el8.10.0+4185+0955a0d7.8
- (no CPE)range: < 2.4.37-65.module_el8.10.0+4185+0955a0d7.8
- (no CPE)range: < 1:2.4.37-65.module_el8.10.0+4185+0955a0d7.8
Patches
Vulnerability mechanics
References
4- www.openwall.com/lists/oss-security/2026/06/03/3nvdMailing ListThird Party Advisory
- www.openwall.com/lists/oss-security/2026/06/08/16nvdMailing ListThird Party Advisory
- httpd.apache.org/security/vulnerabilities_24.htmlnvdVendor Advisory
- lists.debian.org/debian-lts-announce/2026/06/msg00009.htmlnvdMailing ListThird Party Advisory
News mentions
12- Citrix Patches NetScaler Vulnerabilities, Including New ‘HTTP/2 Bomb’ AttackSecurityWeek · Jul 1, 2026
- ThreatsDay Bulletin: Claude Chat Abuse, NastyC2 npm Packages, Device-Code Phishing + 25 More StoriesThe Hacker News · Jun 18, 2026
- PoC Exploit Released for HTTP/2 Bomb Remote DoS Vulnerability in Apache HTTP ServerCyber Security News · Jun 18, 2026
- HTTP/2 Bomb Attacks Put Telcos, Healthcare Orgs at RiskDark Reading · Jun 15, 2026
- Apache HTTP Server and Answer: 22 Vulnerabilities Disclosed, Including Critical FlawsVypr Intelligence · Jun 10, 2026
- Patch Tuesday - June 2026Rapid7 Blog · Jun 9, 2026
- Apache HTTP Server 2.4.68 Released With Fix For Use-After-Free, DoS, XSS, and Buffer Overflow FlawsCyber Security News · Jun 9, 2026
- Apache HTTP Server: 11 Vulnerabilities Disclosed, Including DoS and Memory Corruption FlawsVypr Intelligence · Jun 8, 2026
- OpenAI's agent chained decade-old DoS attacks to crash web servers in secondsThe Register Security · Jun 4, 2026
- New 'HTTP/2 Bomb' DoS attack crashes web servers in under a minuteBleepingComputer · Jun 3, 2026
- ‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in SecondsSecurityWeek · Jun 3, 2026
- HTTP/2 Bomb — Remote DoS Exploit Hits nginx, Apache, IIS, Envoy, and Cloudflare PingoraCyber Security News · Jun 3, 2026