Skip to main content

Apache HTTP Server EUVDEUVD-2026-35101

| CVE-2026-48913 HIGH
Use After Free (CWE-416)
2026-06-08 apache GHSA-fjj2-vrp3-84fv
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
SUSE
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 19:28 vuln.today
CVSS changed
Jun 08, 2026 - 19:22 NVD
7.3 (HIGH)
CVE Published
Jun 08, 2026 - 15:24 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 08, 2026 - 15:24 nvd
HIGH 7.3

DescriptionNVD

Use After Free vulnerability in Apache HTTP Server module mod_http2 when file handles are already exhausted.

This issue affects Apache HTTP Server: from 2.4.55 through 2.4.67.

AnalysisAI

Use-after-free in the mod_http2 module of Apache HTTP Server versions 2.4.55 through 2.4.67 allows remote attackers to trigger memory corruption when the server's file handle pool is exhausted. The flaw carries a CVSS 7.3 (low impact across confidentiality, integrity, and availability) and is reachable over the network without authentication or user interaction, though no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify HTTP/2-enabled httpd 2.4.55-2.4.67
Delivery
Open many concurrent h2 streams
Exploit
Exhaust server file-descriptor pool
Execution
Send request triggering mod_http2 cleanup
Persist
Use-after-free dereference in worker
Impact
Worker crash and service disruption

Vulnerability AssessmentAI

Exploitation Target must be running Apache HTTP Server 2.4.55-2.4.67 with the mod_http2 module loaded and HTTP/2 (h2 or h2c) advertised on a reachable listener. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed-but-leaning-moderate. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker opens many concurrent HTTP/2 streams against an internet-facing httpd 2.4.55-2.4.67 instance - for example by abusing keep-alive connections or stream churn - to exhaust the server's file descriptor pool, then sends additional HTTP/2 requests that drive mod_http2 through the cleanup path which dereferences freed memory. The most likely observable outcome is worker-process crashes and intermittent service unavailability for legitimate users; memory-corruption escalation to code execution is not demonstrated by the available data and no public exploit identified at time of analysis.
Remediation No vendor-released patch identified at time of analysis from the supplied data; consult https://httpd.apache.org/security/vulnerabilities_24.html for the fixed 2.4.x release once published and upgrade beyond 2.4.67. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all production Apache HTTP Server instances and identify those running versions 2.4.55-2.4.67. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Affected
SUSE Linux Enterprise Module for Server Applications 15 SP7 Affected

Share

EUVD-2026-35101 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy