CVE-2026-49975

Apache HTTP Server: mod_http2 denial of service

CVSS 7.5 HIGHEPSS 9.8%CWE-789

Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Apache Software Foundation · Apache HTTP Server

public PoCs found — 11

githubgithub.com/mrx-arafat/CVE-2026-49975-POC★ 24 cve_referencegithub.com/EQSTLab/CVE-2026-49975★ 11 githubgithub.com/fevar54/Proof-of-Concept-POC---CVE-2026-49975-HTTP-2-Bomb-★ 6 githubgithub.com/LSG-PolarBear/CVE-2026-49975★ 4 githubgithub.com/obrige/http2-bomb★ 4 githubgithub.com/renzi25031469/CVE-2026-49975-HTTP-2-Bomb★ 1 githubgithub.com/LiaoZiqi-GZFLS/CVE-2026-49975★ 1 githubgithub.com/minc-nice-100/http2-bomb-analysis-paper★ 1 githubgithub.com/adminlove520/http2-bomb-detector★ 1 githubgithub.com/razureink/cve-2026-49975-http2bomb_reproduction★ 0 githubgithub.com/0xc03307b/CVE-2026-49975★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/EQSTLab/CVE-2026-49975 https://httpd.apache.org/security/vulnerabilities_24.html https://lists.debian.org/debian-lts-announce/2026/06/msg00009.html http://www.openwall.com/lists/oss-security/2026/06/03/3 http://www.openwall.com/lists/oss-security/2026/06/08/16