CVE-2026-49975
HIGH 7.5 PoC AVAILABLEMemory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.
11.5% modeled chance of exploitation in the next 30 days (95th percentile) · public exploit code available. Prioritize remediation.
Exploitation likelihood
11.5%chance of exploitation in 30 days · 95th percentile
Impact if exploited
7.5CVSS 3.1 · HIGH
- ConfidentialityNone
- IntegrityNone
- AvailabilityHigh
What an attacker needs
- ✓Access: Reachable over the network — no local access needed
- ✓Privileges: No account or privileges required
- ✓User interaction: No user interaction needed
- ✓Complexity: No special conditions — reliably repeatable
✓ lowers the bar for an attacker · ⚠ raises it
Proof of concept & exploit code
Listed for defensive triage and patch prioritization.
Affected
Vendors Apache Software Foundation Red Hat
Products Apache Http Server Red Hat Jboss Core Services On Rhel 7 Server Red Hat Jboss Core Services On Rhel 8 Red Hat Enterprise Linux Appstream (V. 10) Red Hat Enterprise Linux Appstream (V. 8) Red Hat Enterprise Linux Appstream (V. 9) Red Hat Hardened Images Red Hat Jboss Core Services 2.4.62.Sp4
Weakness (CWE)
- CWE-789
- CWE-409
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
Exploits & PoC
Advisories
Technical & other
- http://www.openwall.com/lists/oss-security/2026/06/03/3
- https://lists.debian.org/debian-lts-announce/2026/06/msg00009.html
- http://www.openwall.com/lists/oss-security/2026/06/08/16
- https://access.redhat.com/security/cve/CVE-2026-49975
- https://bugzilla.redhat.com/show_bug.cgi?id=2485371
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49975.json