← back
CVE-2026-49975

Apache HTTP Server: mod_http2 denial of service

CVSS 7.5 HIGHEPSS 9.8%CWE-789
Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
Apache Software Foundation · Apache HTTP Server
public PoCs found11
githubgithub.com/mrx-arafat/CVE-2026-49975-POC23cve_referencegithub.com/EQSTLab/CVE-2026-4997510githubgithub.com/fevar54/Proof-of-Concept-POC---CVE-2026-49975-HTTP-2-Bomb-6githubgithub.com/LSG-PolarBear/CVE-2026-499754githubgithub.com/obrige/http2-bomb4githubgithub.com/renzi25031469/CVE-2026-49975-HTTP-2-Bomb1githubgithub.com/LiaoZiqi-GZFLS/CVE-2026-499751githubgithub.com/minc-nice-100/http2-bomb-analysis-paper1githubgithub.com/adminlove520/http2-bomb-detector1githubgithub.com/razureink/cve-2026-49975-http2bomb_reproduction0githubgithub.com/0xc03307b/CVE-2026-499750
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/EQSTLab/CVE-2026-49975https://httpd.apache.org/security/vulnerabilities_24.htmlhttps://lists.debian.org/debian-lts-announce/2026/06/msg00009.htmlhttp://www.openwall.com/lists/oss-security/2026/06/03/3http://www.openwall.com/lists/oss-security/2026/06/08/16