7.5 CVE-2026-49975

Enriched by CISA Exploit

Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.
https://nvd.nist.gov/vuln/detail/CVE-2026-49975

Categories

CWE-789 : Memory Allocation with Excessive Size Value
The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated. When a weakness allocates excessive memory on the stack, it is often described as "stack exhaustion," which is a technical impact of the weakness. This technical impact is often encountered as a consequence of CWE-789 and/or CWE-1325. Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Use tools that are integrated duringcompilation to insert runtime error-checking mechanismsrelated to memory safety errors, such as AddressSanitizer(ASan) for C/C++ [REF-1518]. Perform adequate input validation against any value that influences the amount of memory that is allocated. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary. Run your program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized. Query capability for API endpoint allows a large value for number of records to return, leading to allocation of a large array Chain: Python library does not limit the resources used to process images that specify a very large number of bands (CWE-1284), leading to excessive memory consumption (CWE-789) or an integer overflow (CWE-190). program uses ::alloca() for encoding messages, but large messages trigger segfault memory consumption and daemon exit by specifying a large value in a length field large value in a length field leads to memory consumption and crash when no more memory is available large key size in game program triggers crash when a resizing function cannot allocate enough memory large Content-Length HTTP header value triggers application crash in instant messaging application due to failure in memory allocation

References

af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2026/06/03/3 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2026/06/08/16 Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2026/06/msg00009.html Mailing List Third Party Advisory

security@apache.org

https://httpd.apache.org/security/vulnerabilities_24.html Vendor Advisory

AFFECTED (from MITRE)

Vendor	Product	Versions
Apache Software Foundation	Apache HTTP Server	2.4.17 ≤ 2.4.67 [affected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe	start	end
Configuration 1
cpe:2.3:a:apache:http_server::::::::	>= 2.4.17	< 2.4.68
cpe:2.3:a:f5:nginx::::::::		< 1.29.8
cpe:2.3:o:debian:debian_linux:11.0:::::::*

REMEDIATION

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
https://github.com/mrx-arafat/CVE-2026-49975-POC
https://github.com/LiaoZiqi-GZFLS/CVE-2026-49975
https://github.com/adminlove520/http2-bomb-detector
https://github.com/razureink/cve-2026-49975-http2bomb_reproduction

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
No entry

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee