Intel

AIKIDO-2026-11043

mod_http2 is vulnerable to Resource Exhaustion

Resource ExhaustionCVE-2026-49975 Published Jun 3, 2026

75

High Risk

This Affects:

OSmod_http2
2.0.0 - 2.0.40
Fixed in 2.0.41
Are you affected? Scan for Free

TL;DR

mod_http2 merges split HTTP/2 Cookie header fields but does not count merged cookie crumbs against LimitRequestFields. A client can send many HPACK-indexed cookie fragments and stall the response stream, causing Apache to repeatedly rebuild and retain large header allocations. Pre-fix servers can suffer remote memory exhaustion and availability loss through HTTP/2 requests. The fix treats merged cookie headers as added fields so they are limited by LimitRequestFields.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

mod_http2 is vulnerable to Resource Exhaustion in versions 2.0.0 - 2.0.40.

How to fix this

Upgrade the mod_http2 library to the patch version.

Links

Other

httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/security/vulnerabilities_24.html
openwall.com/lists/oss-security/2026/06/03/3
http://www.openwall.com/lists/oss-security/2026/06/03/3
openwall.com/lists/oss-security/2026/06/08/16
http://www.openwall.com/lists/oss-security/2026/06/08/16
lists.debian.org/debian-lts-announce/2026/06/msg00009.html
https://lists.debian.org/debian-lts-announce/2026/06/msg00009.html
access.redhat.com/errata/RHSA-2026:25042
https://access.redhat.com/errata/RHSA-2026:25042
access.redhat.com/errata/RHSA-2026:25057
https://access.redhat.com/errata/RHSA-2026:25057
access.redhat.com/errata/RHSA-2026:25090
https://access.redhat.com/errata/RHSA-2026:25090
access.redhat.com/errata/RHSA-2026:25225
https://access.redhat.com/errata/RHSA-2026:25225
access.redhat.com/errata/RHSA-2026:27114
https://access.redhat.com/errata/RHSA-2026:27114
access.redhat.com/errata/RHSA-2026:27200
https://access.redhat.com/errata/RHSA-2026:27200
access.redhat.com/errata/RHSA-2026:27201
https://access.redhat.com/errata/RHSA-2026:27201
access.redhat.com/errata/RHSA-2026:36373
https://access.redhat.com/errata/RHSA-2026:36373
access.redhat.com/errata/RHSA-2026:36831
https://access.redhat.com/errata/RHSA-2026:36831
access.redhat.com/errata/RHSA-2026:36846
https://access.redhat.com/errata/RHSA-2026:36846
access.redhat.com/security/cve/CVE-2026-49975
https://access.redhat.com/security/cve/CVE-2026-49975
bugzilla.redhat.com/show_bug.cgi?id=2485371
https://bugzilla.redhat.com/show_bug.cgi?id=2485371
github.com/EQSTLab/CVE-2026-49975
https://github.com/EQSTLab/CVE-2026-49975
security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49975.json
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49975.json