HIGH 7.5

CVE-2026-49975: Apache HTTP Server Memory Allocation DoS Vulnerability (2.4.17–2.4.67)

Apache HTTP Server contains a vulnerability in its mod_http module that allows attackers to crash the web server by sending specially crafted HTTP requests. The flaw stems from improper memory allocation handling—specifically, when the server attempts to allocate an excessively large block of memory in response to a malicious request, it can exhaust system resources and cause a denial of service. No user authentication is required to exploit this vulnerability, and attackers can trigger it remotely over the network. Affected versions span from 2.4.17 through 2.4.67.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-409, CWE-789
Affected products
2 configuration(s)
Published / Modified
2026-06-08 / 2026-07-15

NVD description (verbatim)

Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.

18 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-49975 is a memory allocation vulnerability (CWE-409: Improper Handling of Exceptional Conditions; CWE-789: Memory Allocation with Excessive Size Value) in Apache HTTP Server's mod_http module. The vulnerability arises when the server processes HTTP requests without proper validation of memory allocation sizes, allowing an attacker to trigger allocation of unreasonably large memory buffers. This exhausts available memory resources, leading to service termination or severe performance degradation. The attack vector is network-based with low complexity and no privilege or user interaction requirements, resulting in a CVSS v3.1 base score of 7.5 (HIGH severity). The vulnerability impacts availability but not confidentiality or integrity.

Business impact

Availability disruption represents the primary business risk. Affected Apache HTTP Server instances can be rendered unavailable, disrupting web services, APIs, and dependent applications. For organizations relying on Apache for production workloads—particularly e-commerce platforms, SaaS providers, content delivery, and API gateways—successful exploitation could translate to service downtime, lost transactions, degraded customer experience, and reputational damage. The ease of exploitation (no authentication or user interaction required) increases the likelihood of opportunistic attacks. Recovery may require manual intervention to restart services, potentially extending outage duration.

Affected systems

Apache HTTP Server versions 2.4.17 through 2.4.67 are vulnerable. Debian Linux distributions packaging affected Apache versions are also in scope. Organizations should inventory their Apache deployments, document version numbers, and cross-reference against this range. Note that the vulnerability does not affect versions prior to 2.4.17 or patched releases beyond 2.4.67 (verify against the vendor advisory for the specific fixed version).

Exploitability

Exploitability is straightforward and attractive to attackers. The attack requires no authentication, no special user privileges, and no user interaction; a remote attacker can send a single malicious HTTP request to trigger the vulnerability. The low complexity and network accessibility make this vulnerability suitable for automated scanning and large-scale exploitation campaigns. The absence of CISA KEV status (as of the data provided) does not diminish real-world risk; active exploitation is plausible given the simplicity and impact. No advanced exploitation techniques or zero-day sophistication is required.

Remediation

Patching is the primary mitigation. Organizations should apply the vendor's security update for Apache HTTP Server to transition beyond the affected version range (2.4.17–2.4.67). Verify the specific patched version in the Apache Security Advisory. In the interim, network-level controls such as request filtering, rate limiting, and WAF rules targeting abnormal Content-Length or Transfer-Encoding headers may provide partial mitigation. However, these compensating controls are not a substitute for patching. Organizations unable to patch immediately should consider temporarily disabling mod_http or restricting HTTP traffic to trusted sources; however, this may not be operationally feasible for production systems.

Patch guidance

Consult the Apache HTTP Server Security Advisory for the exact fixed version and update procedure. Patches are typically available via official Apache repositories and Linux distribution package managers (e.g., apt for Debian systems). Plan patching to align with your change management schedule and testing windows. Verify functionality post-patch in a staging environment before production rollout. For containerized deployments, rebuild base images and redeploy. For compliance-sensitive environments, document the patching activity and timing.

Detection guidance

Monitor web server logs for unusual HTTP requests containing extremely large Content-Length or Transfer-Encoding header values, or requests that trigger memory allocation anomalies. Observe server resource consumption (memory utilization, process crash logs) correlated with incoming HTTP traffic. Enable detailed logging in Apache (mod_log_config) to capture request headers. Endpoint Detection and Response (EDR) tools can flag unexpected memory exhaustion or server process crashes. IDS/IPS signatures targeting excessive allocation requests may detect attack attempts. Baseline your typical memory profile and alert on significant, unexplained spikes.

Why prioritize this

This vulnerability warrants high-priority patching due to the combination of ease of exploitation (network-accessible, no auth required), broad applicability (affects a widely-deployed web server across multiple versions), clear business impact (service availability), and low attack complexity. Organizations operating Apache in production should treat this as critical in their patch management queue. The CVSS 7.5 (HIGH) score reflects the availability impact, and the straightforward attack path means exploitation will likely occur if unpatched systems remain exposed.

Risk score, explained

The CVSS v3.1 base score of 7.5 (HIGH) is driven by network accessibility (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), no user interaction (UI:N), and high impact on availability (A:H). The absence of confidentiality and integrity impact (C:N, I:N) prevents a CRITICAL rating. However, contextual factors—such as the scope of Apache deployments and the ease of triggering the flaw—may elevate organizational risk beyond the base score in many operational environments.

Frequently asked questions

What versions of Apache HTTP Server are affected?

Versions 2.4.17 through 2.4.67 are vulnerable. Verify your installed version with 'apache2ctl -v' (or 'httpd -v' on some systems). Consult the Apache Security Advisory for the specific patched version that closes this vulnerability.

Can this vulnerability be exploited without network access?

No. The attack is entirely remote and requires only the ability to send HTTP requests to the affected server. No credentials, physical access, or user interaction is needed.

Will a Web Application Firewall (WAF) fully protect me if I cannot patch immediately?

A WAF can reduce risk by filtering requests with abnormal headers or patterns, but it is not a reliable substitute for patching. WAF rules may be bypassed or require continuous tuning. Patching remains the definitive fix.

How long has this vulnerability been exploitable in the wild?

The vulnerability was published on 2026-06-08. Monitor your logs and telemetry for any signs of exploitation activity around or before that date, and consider it active risk from that point forward.

This analysis is based on published vulnerability data and does not constitute professional security advice. Organizations should independently verify patch availability, compatibility, and deployment procedures with official vendor advisories and their own testing environments. Exploit code and detailed attack steps are not provided. Risk levels are contextual and may vary based on organizational infrastructure, exposure, and controls. Consult your internal security team and vendor documentation before taking remediation actions. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).