Intel

AIKIDO-2026-11044

httpd is vulnerable to Resource Exhaustion

Resource ExhaustionCVE-2026-49975 Published Jun 3, 2026

75

High Risk

This Affects:

OShttpd
2.4.17 - 2.4.67
Fixed in 2.4.68
Are you affected? Scan for Free

TL;DR

Apache httpd's bundled HTTP/2 implementation can merge split Cookie header fields without counting each crumb against the configured request-field limit. A client can combine HPACK indexed cookie fragments with a stalled response stream to keep large header allocations live. Affected servers can suffer remote memory exhaustion and availability loss through HTTP/2 requests. The 2.4.68 release includes mod_http2 2.0.41, which fixes cookie header accounting against LimitRequestFields.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and HTTP/2 is enabled.

Background info

httpd is vulnerable to Resource Exhaustion in versions 2.4.17 - 2.4.67.

How to fix this

Upgrade the httpd library to the patch version.

Links

github.com/apache/httpd/compare/2.4.67...2.4.68
https://github.com/apache/httpd/compare/2.4.67...2.4.68
httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/security/vulnerabilities_24.html
openwall.com/lists/oss-security/2026/06/03/3
http://www.openwall.com/lists/oss-security/2026/06/03/3
openwall.com/lists/oss-security/2026/06/08/16
http://www.openwall.com/lists/oss-security/2026/06/08/16
lists.debian.org/debian-lts-announce/2026/06/msg00009.html
https://lists.debian.org/debian-lts-announce/2026/06/msg00009.html
access.redhat.com/errata/RHSA-2026:25042
https://access.redhat.com/errata/RHSA-2026:25042
access.redhat.com/errata/RHSA-2026:25057
https://access.redhat.com/errata/RHSA-2026:25057
access.redhat.com/errata/RHSA-2026:25090
https://access.redhat.com/errata/RHSA-2026:25090
access.redhat.com/errata/RHSA-2026:25225
https://access.redhat.com/errata/RHSA-2026:25225
access.redhat.com/errata/RHSA-2026:27114
https://access.redhat.com/errata/RHSA-2026:27114
access.redhat.com/errata/RHSA-2026:27200
https://access.redhat.com/errata/RHSA-2026:27200
access.redhat.com/errata/RHSA-2026:27201
https://access.redhat.com/errata/RHSA-2026:27201
access.redhat.com/errata/RHSA-2026:36373
https://access.redhat.com/errata/RHSA-2026:36373
access.redhat.com/errata/RHSA-2026:36831
https://access.redhat.com/errata/RHSA-2026:36831
access.redhat.com/errata/RHSA-2026:36846
https://access.redhat.com/errata/RHSA-2026:36846
access.redhat.com/security/cve/CVE-2026-49975
https://access.redhat.com/security/cve/CVE-2026-49975
bugzilla.redhat.com/show_bug.cgi?id=2485371
https://bugzilla.redhat.com/show_bug.cgi?id=2485371
github.com/EQSTLab/CVE-2026-49975
https://github.com/EQSTLab/CVE-2026-49975
security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49975.json
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49975.json