CVE-2026-49975
Received Received - Intake
Memory Allocation DoS in Apache HTTP Server mod_http

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: Apache Software Foundation

Description
Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-09
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-49975
EUVD
EUVD-2026-35105
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache http_server From 2.4.17 (inc) to 2.4.67 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Memory Allocation with Excessive Size Value issue in the Apache HTTP Server's mod_http module. It occurs when the server processes malicious HTTP requests that cause it to allocate an excessively large amount of memory.

The affected versions are Apache HTTP Server from 2.4.17 through 2.4.67.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition. An attacker can send specially crafted HTTP requests that cause the server to allocate excessive memory, potentially exhausting system resources and making the server unavailable to legitimate users.

Detection Guidance

This vulnerability involves excessive memory allocation triggered by malicious HTTP/2 requests, particularly through header fields like cookie crumbs. Detection can focus on monitoring unusual HTTP/2 traffic patterns that include abnormally large or numerous headers.

Network or system administrators can look for signs of denial-of-service attempts by inspecting HTTP/2 header sizes and counts, especially cookie headers, using packet capture tools or web server logs.

Suggested commands include using tools like tcpdump or Wireshark to capture HTTP/2 traffic and filter for large or excessive headers. For example:

  • tcpdump -i <interface> -s 0 -w capture.pcap 'tcp port 443'
  • Use Wireshark to analyze the capture.pcap file, filtering for HTTP/2 frames with large header fields.

Additionally, reviewing Apache HTTP Server logs for unusually large or numerous cookie headers in requests may help identify exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include upgrading the Apache HTTP Server to a version where the vulnerability is fixed (mod_http2 v2.0.41 or later).

If upgrading is not immediately possible, consider disabling HTTP/2 support on the server to prevent exploitation via HTTP/2 header fields.

Another mitigation is to enforce hard limits on header counts and memory usage, such as limiting the number and size of cookie headers to prevent excessive memory allocation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49975. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart