AIKIDO-2026-11044
httpd is vulnerable to Resource Exhaustion
75
High Risk
This Affects:
httpdTL;DR
Apache httpd's bundled HTTP/2 implementation can merge split Cookie header fields without counting each crumb against the configured request-field limit. A client can combine HPACK indexed cookie fragments with a stalled response stream to keep large header allocations live. Affected servers can suffer remote memory exhaustion and availability loss through HTTP/2 requests. The 2.4.68 release includes mod_http2 2.0.41, which fixes cookie header accounting against LimitRequestFields.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and HTTP/2 is enabled.
Background info
httpd is vulnerable to Resource Exhaustion in versions 2.4.17 - 2.4.67.
How to fix this
Upgrade the httpd library to the patch version.
Links
github.com/apache/httpd/compare/2.4.67...2.4.68
httpd.apache.org/security/vulnerabilities_24.htmlopenwall.com/lists/oss-security/2026/06/03/3openwall.com/lists/oss-security/2026/06/08/16lists.debian.org/debian-lts-announce/2026/06/msg00009.html
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant