CVE-2026-49975 — Apache HTTP Server: mod_http2 denial of service

Description

Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.

How to fix CVE-2026-49975

To remediate CVE-2026-49975, upgrade the affected package to a fixed version below.

Alpine/nginx—upgrade to 1.28.3-r3 or later
Bitnami/apache—upgrade to 2.4.68 or later
—upgrade to 2.4.67-1~deb11u2 or later

Is CVE-2026-49975 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-49975.

Affected packages (3)

from 0, < 1.28.3-r3
>= 2.4.17, < 2.4.68
from 0, < 2.4.67-1~deb11u2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (7)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2026-49975
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-49975
WEBhttpd.apache.org/security/vulnerabilities_24.html
WEBlists.debian.org/debian-lts-announce/2026/06/msg00009.html