Skip to main content

Apache EUVD-2026-35105

| CVE-2026-49975 HIGH
Memory Allocation with Excessive Size Value (CWE-789)
2026-06-03 GHSA-262v-g5h9-6mc6
Apache Denial Of Service Red Hat
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jun 09, 2026 - 17:30 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 09, 2026 - 17:30 vuln.today
v3 (cvss_changed)
Re-analysis Queued
Jun 09, 2026 - 17:22 vuln.today
cvss_changed
CVSS changed
Jun 09, 2026 - 17:22 NVD
7.5 (HIGH)
Source Code Evidence Fetched
Jun 03, 2026 - 16:01 vuln.today
Analysis Generated
Jun 03, 2026 - 15:40 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Denial of service in Apache HTTP Server 2.4.17 through 2.4.67 (via the bundled mod_http2 module) allows remote unauthenticated attackers to exhaust server memory by sending crafted HTTP/2 requests whose cookie headers are not correctly counted against LimitRequestFields. Publicly available exploit code exists and a third-party write-up describes a 'hidden HTTP/2 bomb,' but EPSS exploitation probability is currently very low (0.02%, 5th percentile) and the CVE is not on the CISA KEV list.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Recommended ActionAI

24 hours: Identify all systems running Apache HTTP Server 2.4.17-2.4.67 in production and non-production environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed

Share

EUVD-2026-35105 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy