How is CVE-2026-49975 exploited?

Network reachability (required): The attacker must be able to reach the Apache HTTP Server over the network; the vulnerable module processes incoming HTTP/2 requests exposed on a standard network interface. Authentication (not-required): No credentials or account of any kind are needed; the malicious request can be sent by any unauthenticated client. Victim interaction (not-required): The attacker does not need any human on the target system to take an action; sending the crafted request alone triggers the vulnerability. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup beyond network access to the server.

What is the impact of CVE-2026-49975?

The affected Apache server process exhausts available memory or crashes, taking down all sites and virtual hosts served by that process. Legitimate HTTP and HTTPS traffic to the server is dropped for the duration of the attack, causing a full service outage for end users. If the server runs in a container without memory limits, the excessive allocation can spill into host-level resources and degrade co-located workloads. Availability impact is rated HIGH with no confidentiality or integrity component, so data is not read or modified, but service continuity is fully disrupted.

Back to search

HIGHCVE-2026-49975Published 2026-06-08Modified 2026-06-09CNA apache

CVE-2026-49975: Apache HTTP Server: mod_http2 denial of service

Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a denial-of-service vulnerability in Apache HTTP Server's mod_http2 module, affecting versions 2.4.17 through 2.4.67. An unauthenticated remote attacker can send a crafted HTTP request over the network to trigger an excessive memory allocation, requiring no prior access or user interaction. Successful exploitation crashes or exhausts the affected server process, making the service unavailable. No fix version has been published yet; HarborGuard tracks the upstream advisory and will make a patched-image rebuild available as soon as Apache ships a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-49975 is available across every HarborGuard environment - the CVE is matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle Apache HTTP Server. Any image carrying a mod_http2-enabled Apache build in the affected version range is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 7.5 (HIGH) using the published v3.1 vector and is capable of weighting that score against each customer's per-environment compliance policy to determine breach thresholds. Routed findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the Apache advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Apache releases a corrected version. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once a fix is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the Apache HTTP Server over the network; the vulnerable module processes incoming HTTP/2 requests exposed on a standard network interface.
AuthenticationNot required
No credentials or account of any kind are needed; the malicious request can be sent by any unauthenticated client.
Victim interactionNot required
The attacker does not need any human on the target system to take an action; sending the crafted request alone triggers the vulnerability.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup beyond network access to the server.

Blast Radius

The affected Apache server process exhausts available memory or crashes, taking down all sites and virtual hosts served by that process.
Legitimate HTTP and HTTPS traffic to the server is dropped for the duration of the attack, causing a full service outage for end users.
If the server runs in a container without memory limits, the excessive allocation can spill into host-level resources and degrade co-located workloads.
Availability impact is rated HIGH with no confidentiality or integrity component, so data is not read or modified, but service continuity is fully disrupted.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active now, flagging any image in the 2.4.17 to 2.4.67 range that includes mod_http2. Because Apache has not yet published a fix, no patched rebuild is available at this time. HarborGuard re-checks the upstream advisory on every ingest cycle; once Apache publishes a corrected version, a patched-image rebuild will become available immediately, and customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads automatically. In the interim, compensating controls worth considering include placing a network policy or WAF rule in front of HTTP/2 endpoints to drop oversized or malformed frames, disabling mod_http2 in images where HTTP/2 is not required, and applying container memory limits to bound the blast radius of an allocation attack.

See how HarborGuard automates this

Affected packages

Apache Software Foundation / Apache HTTP Server
≤ 2.4.67

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

httpd.apache.org

Metrics

Get notified