CVE-2026-49975: Apache HTTP Server: mod_http2 denial of service
Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests.
This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.
Security readout for executives and security teams
Plain-English summary
CVE-2026-49975 is a denial-of-service flaw in Apache HTTP Server affecting versions 2.4.17 through 2.4.67. Malicious HTTP requests can trigger excessive memory allocation, potentially taking a web service down. The impact is availability, not data theft or code execution based on the provided sources.
Executive priority
High priority for externally reachable Apache services because exploitation can disrupt customer-facing web availability. There is no evidence in the provided sources of data compromise or confirmed active exploitation, but public exploit reference and network reachability justify timely remediation.
Technical view
The record describes a memory allocation with excessive size value issue in Apache HTTP Server mod_http2, mapped to CWE-409 and CWE-789. It is remotely reachable, unauthenticated, low complexity, and rated CVSS 7.5 because successful exploitation can cause high availability impact.
Likely exposure
Organizations running Apache HTTP Server 2.4.17 through 2.4.67, particularly internet-facing deployments using the affected HTTP/2 module, should assess exposure. Distribution-packaged Apache builds may have separate backport status, so validate against Apache, Debian, and Red Hat guidance.
Exploitation context
The bundle lists a public GitHub exploit reference, but KEV status is false and no cited source here confirms active exploitation in the wild. Treat public exploit availability as a reason to prioritize validation and patch tracking without assuming confirmed attacks.
Researcher notes
Evidence supports remote unauthenticated denial of service via excessive memory allocation. The source bundle does not provide safe reproduction details or exact fixed upstream version text, so validation should focus on version/module exposure and vendor advisory status rather than exploit testing.
Mitigation direction
Check Apache HTTP Server advisory for fixed versions or configuration guidance.
Apply relevant vendor updates from Apache or your Linux distribution.
Review Debian LTS and Red Hat advisories for package-specific remediation status.
Prioritize internet-facing Apache servers before internal-only systems.
Consider temporary exposure reduction if updates are not immediately available.
Validation and detection
Inventory Apache HTTP Server versions across production and edge hosts.
Confirm whether deployed versions fall within 2.4.17 through 2.4.67.
Check whether the affected HTTP/2 module is enabled.
Map installed OS packages to Debian or Red Hat advisory status.
Monitor web server availability and memory pressure for abnormal request-driven spikes.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-409: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-409 · source CWE mapping
Improper Handling of Highly Compressed Data (Data Amplification)
Improper Handling of Highly Compressed Data (Data Amplification) represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Memory Allocation with Excessive Size Value represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.