{"uuid": "750a9aed-b655-4695-9262-6200bfa664e7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49975", "type": "seen", "source": "https://gist.github.com/alon710/523db0554da2f223a1424635be2e087a", "content": "# CVE-2026-49975: CVE-2026-49975: Remote Denial of Service via HTTP/2 HPACK Cookie Memory Amplification in Apache HTTP Server\n\n> **CVSS Score:** 7.5\n> **Published:** 2026-06-08\n> **Full Report:** https://cvereports.com/reports/CVE-2026-49975\n\n## Summary\nCVE-2026-49975 describes a high-severity remote Denial of Service (DoS) vulnerability in the Apache HTTP Server's mod_http2 module. Unauthenticated attackers can exploit the HPACK compression and cookie-merging behavior to trigger severe, quadratic memory allocation. This resource exhaustion is maintained by manipulating the HTTP/2 flow-control window, ultimately forcing an Out-of-Memory condition on the server host.\n\n## TL;DR\nA memory amplification bug in Apache's mod_http2 allows remote unauthenticated attackers to exhaust server RAM using small HTTP/2 header streams, causing a Denial of Service.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-789\n- **Attack Vector**: Network\n- **CVSS Score**: 7.5 (High)\n- **EPSS Score**: 0.01313\n- **EPSS Percentile**: 66.94%\n- **Impact**: Remote Denial of Service\n- **Exploit Status**: Proof-of-Concept Available\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- Apache HTTP Server (mod_http2)\n- **Apache HTTP Server (mod_http2)**: 2.4.17 through 2.4.67 (Fixed in: `2.4.68`)\n\n## Mitigation\n\n- Upgrade to Apache HTTP Server 2.4.68 or later\n- Upgrade mod_http2 to standalone version 2.0.41 or higher\n- Disable HTTP/2 support to fall back to HTTP/1.1\n- Implement operating system or container memory boundaries on worker processes\n\n**Remediation Steps:**\n1. Identify affected server configurations by verifying HTTP/2 status and server version via command-line curl tools.\n2. Apply upstream package updates using default system package managers or compile the latest source distribution of httpd.\n3. If immediate patching is not possible, edit httpd.conf or ssl.conf to limit protocols explicitly to http/1.1.\n4. Apply systemd MemoryMax parameters or run Docker containers with enforced memory and swap limits to prevent system-wide lockups.\n5. Verify the remediation by running automated validation scripts against the newly modified hosts.\n\n## References\n\n- [CVE Official Record](https://www.cve.org/CVERecord?id=CVE-2026-49975)\n- [Apache HTTP Server Security Advisories](https://httpd.apache.org/security/vulnerabilities_24.html)\n- [Upstream Bugfix Commit](https://github.com/icing/mod_h2/commit/35c6e405390ed361189a82acd96675401ea5947c)\n- [Calif.IO HTTP/2 Bomb Discovery Blog](https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb)\n- [OSS-Security List Disclosure](http://www.openwall.com/lists/oss-security/2026/06/03/3)\n- [OSS-Security Official Announcement](http://www.openwall.com/lists/oss-security/2026/06/08/16)\n- [Debian Security Announcement](https://lists.debian.org/debian-lts-announce/2026/06/msg00009.html)\n- [mrx-arafat Proof-of-Concept Exploit](https://github.com/mrx-arafat/CVE-2026-49975-POC)\n- [EQSTLab PoC Repository](https://github.com/EQSTLab/CVE-2026-49975)\n- [LSG-PolarBear PoC Exploit](https://github.com/LSG-PolarBear/CVE-2026-49975)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-49975) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-18T11:21:49.000000Z"}