How is CVE-2026-48913 exploited?

Network reachability (required): The vulnerable mod_http2 endpoint is exposed over the network, so an attacker must be able to send HTTP/2 requests to the server to trigger the flaw. Authentication (not-required): No account or credential of any kind is needed; the vulnerability is reachable by unauthenticated HTTP/2 requests. Victim interaction (not-required): Exploitation is fully server-side; no user or administrator action is required to trigger the use-after-free condition. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites beyond a file-handle-exhausted server state.

What is the impact of CVE-2026-48913?

An attacker can read portions of server memory, which may include in-flight request data, headers, or session-related content. An attacker can write to freed memory regions, enabling limited corruption of server-side data structures or in-flight response content. The use-after-free condition can crash or destabilize the mod_http2 worker, causing HTTP/2 request handling to fail and degrading service availability for connected clients. Because all three impact dimensions (confidentiality, integrity, availability) are affected, a single exploit attempt can combine data leakage, content tampering, and service disruption.

Back to search

HIGHCVE-2026-48913Published 2026-06-08Modified 2026-06-08CNA apache

CVE-2026-48913: Apache HTTP Server: mod_http2 memory corruption when file handles exhausted

Use After Free vulnerability in Apache HTTP Server module mod_http2 when file handles are already exhausted. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.67.

CVSS v3.1: 7.3
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the mod_http2 module of Apache HTTP Server versions 2.4.55 through 2.4.67. The flaw is reachable over the network without any authentication and is triggered when the server's file handles are exhausted, causing the module to operate on freed memory. Successful exploitation gives an attacker limited read access, limited write access, and can degrade service availability. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from Apache and NVD feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Apache HTTP Server. Any image containing an affected mod_http2 version (2.4.55 through 2.4.67) is flagged automatically.

Available

Triage

HarborGuard scores this issue at CVSS 7.3 (HIGH) and applies per-environment compliance policy weighting to prioritize it accordingly within each customer org. Triage routing is available to direct alerts to the appropriate team inbox based on the service owner and policy configuration in each environment.

Available

Patch

No upstream fix has been published for this CVE. HarborGuard re-checks the Apache and NVD advisory feeds on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix version is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable mod_http2 endpoint is exposed over the network, so an attacker must be able to send HTTP/2 requests to the server to trigger the flaw.
AuthenticationNot required
No account or credential of any kind is needed; the vulnerability is reachable by unauthenticated HTTP/2 requests.
Victim interactionNot required
Exploitation is fully server-side; no user or administrator action is required to trigger the use-after-free condition.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites beyond a file-handle-exhausted server state.

Blast Radius

An attacker can read portions of server memory, which may include in-flight request data, headers, or session-related content.
An attacker can write to freed memory regions, enabling limited corruption of server-side data structures or in-flight response content.
The use-after-free condition can crash or destabilize the mod_http2 worker, causing HTTP/2 request handling to fail and degrading service availability for connected clients.
Because all three impact dimensions (confidentiality, integrity, availability) are affected, a single exploit attempt can combine data leakage, content tampering, and service disruption.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-48913, the platform monitors the Apache and NVD advisory feeds on every ingest cycle and will automatically make a patched-image rebuild available the moment Apache publishes a fix version. For customers with auto-remediation enabled, that rebuild triggers a regression test run and opens a PR against affected workloads with no manual intervention required. In the interim, compensating controls are worth considering: network policy can restrict HTTP/2 traffic to trusted sources only, and file-descriptor limits on the server process can be tuned to reduce the likelihood of handle exhaustion that triggers the vulnerable code path. If mod_http2 is not strictly required by a workload, disabling the module via server configuration eliminates the attack surface entirely until a patch is available.

See how HarborGuard automates this

Affected packages

Apache Software Foundation / Apache HTTP Server
≤ 2.4.67

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References

httpd.apache.org

Metrics

Get notified