CVE-2026-49975

Published: June 5, 2026Last modified: June 15, 2026

Description

Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.

Severity score breakdown

Parameter	Value
Base score	7.5
Attack Vector	NETWORK
Attack complexity	LOW
Privileges required	NONE
User interaction	NONE
Scope	UNCHANGED
Confidentiality	NONE
Integrity impact	NONE
Availability impact	HIGH
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Notes

https://github.com/nginx/nginx/commit/365694160a85229a7cb006738de9260d49ff5fa2 https://freenginx.org/hg/nginx/rev/199dc0d6b05be814b5c811876c20af58cd361fea https://ubuntu.com/security/notices/USN-8398-2

Status

Product	Release	Package	Status
Alpaquita Linux	23 LTS	apache2	Vulnerable (2.4.54-r2)
	23 LTS	nginx	Fixed (1.22.1-r7)
	25 LTS	apache2	Vulnerable (2.4.63-r0)
	25 LTS	nginx	Fixed (1.28.3-r5)
	Stream	apache2	Fixed (2.4.68-r0)
	Stream	nginx	Fixed (1.30.1-r0)

References

http://www.openwall.com/lists/oss-security/2026/06/03/3
http://www.openwall.com/lists/oss-security/2026/06/08/16
https://httpd.apache.org/security/vulnerabilities_24.html
https://lists.debian.org/debian-lts-announce/2026/06/msg00009.html