Synopsis
Important: mod_http2 security update
Type/Severity
Security Advisory: Important
Red Hat Lightspeed patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for mod_http2 is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The mod_h2 Apache httpd module implements the HTTP2 protocol (h2+h2c) on top of libnghttp2 for httpd 2.4 servers.
Security Fix(es):
- httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack (CVE-2026-49975)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
-
Red Hat Enterprise Linux for x86_64 9 x86_64
-
Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.8 x86_64
-
Red Hat Enterprise Linux for IBM z Systems 9 s390x
-
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.8 s390x
-
Red Hat Enterprise Linux for Power, little endian 9 ppc64le
-
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.8 ppc64le
-
Red Hat Enterprise Linux for ARM 64 9 aarch64
-
Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.8 aarch64
-
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.8 ppc64le
-
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.8 x86_64
-
Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.8 aarch64
-
Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.8 s390x
-
Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.8 x86_64
-
Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.8 aarch64
-
Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.8 ppc64le
-
Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.8 s390x
Fixes
-
BZ - 2485371
- CVE-2026-49975 httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack
Note:
More recent versions of these packages may be available.
Click a package name for more details.
Red Hat Enterprise Linux for x86_64 9
| SRPM |
|
mod_http2-2.0.26-6.el9_8.1.src.rpm
|
SHA-256: 8552f39060879a5786514dd319de29b008bc6bbf477c7de7076f466813cd137b |
| x86_64 |
|
mod_http2-2.0.26-6.el9_8.1.x86_64.rpm
|
SHA-256: ee38b8dafc25b54e4298cc4efe524d846ddcb26cf4c22be69392befca5924881 |
|
mod_http2-debuginfo-2.0.26-6.el9_8.1.x86_64.rpm
|
SHA-256: 0c761e4e93b9e26d3e1b5680503c6d1ea8e3798627028ebb5da5b2f80975748e |
|
mod_http2-debugsource-2.0.26-6.el9_8.1.x86_64.rpm
|
SHA-256: 70f8b5ceab4a82b9f82d704bfacccb4c7f03acc6b77a6087b3ff923c5b9ce411 |
Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.8
| SRPM |
|
mod_http2-2.0.26-6.el9_8.1.src.rpm
|
SHA-256: 8552f39060879a5786514dd319de29b008bc6bbf477c7de7076f466813cd137b |
| x86_64 |
|
mod_http2-2.0.26-6.el9_8.1.x86_64.rpm
|
SHA-256: ee38b8dafc25b54e4298cc4efe524d846ddcb26cf4c22be69392befca5924881 |
|
mod_http2-debuginfo-2.0.26-6.el9_8.1.x86_64.rpm
|
SHA-256: 0c761e4e93b9e26d3e1b5680503c6d1ea8e3798627028ebb5da5b2f80975748e |
|
mod_http2-debugsource-2.0.26-6.el9_8.1.x86_64.rpm
|
SHA-256: 70f8b5ceab4a82b9f82d704bfacccb4c7f03acc6b77a6087b3ff923c5b9ce411 |
Red Hat Enterprise Linux for IBM z Systems 9
| SRPM |
|
mod_http2-2.0.26-6.el9_8.1.src.rpm
|
SHA-256: 8552f39060879a5786514dd319de29b008bc6bbf477c7de7076f466813cd137b |
| s390x |
|
mod_http2-2.0.26-6.el9_8.1.s390x.rpm
|
SHA-256: 6f8c2f6b7cf1484ea3ab4e6ac2b7c2bc4eda24435820737444fed15f41f44ca8 |
|
mod_http2-debuginfo-2.0.26-6.el9_8.1.s390x.rpm
|
SHA-256: 16ee3cd220c6575f152cac0a9e7f79442dfa4d7018d7c12d906f1d4e562f7467 |
|
mod_http2-debugsource-2.0.26-6.el9_8.1.s390x.rpm
|
SHA-256: 5c314ac284f615335820c635b004334269210d98c7ede936d317d8449c9b7ca6 |
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.8
| SRPM |
|
mod_http2-2.0.26-6.el9_8.1.src.rpm
|
SHA-256: 8552f39060879a5786514dd319de29b008bc6bbf477c7de7076f466813cd137b |
| s390x |
|
mod_http2-2.0.26-6.el9_8.1.s390x.rpm
|
SHA-256: 6f8c2f6b7cf1484ea3ab4e6ac2b7c2bc4eda24435820737444fed15f41f44ca8 |
|
mod_http2-debuginfo-2.0.26-6.el9_8.1.s390x.rpm
|
SHA-256: 16ee3cd220c6575f152cac0a9e7f79442dfa4d7018d7c12d906f1d4e562f7467 |
|
mod_http2-debugsource-2.0.26-6.el9_8.1.s390x.rpm
|
SHA-256: 5c314ac284f615335820c635b004334269210d98c7ede936d317d8449c9b7ca6 |
Red Hat Enterprise Linux for Power, little endian 9
| SRPM |
|
mod_http2-2.0.26-6.el9_8.1.src.rpm
|
SHA-256: 8552f39060879a5786514dd319de29b008bc6bbf477c7de7076f466813cd137b |
| ppc64le |
|
mod_http2-2.0.26-6.el9_8.1.ppc64le.rpm
|
SHA-256: 4123bb7d92c8589a2a182fcd0c5bebdb01c1474872a1db5c6582abcc934e07fa |
|
mod_http2-debuginfo-2.0.26-6.el9_8.1.ppc64le.rpm
|
SHA-256: 619826399a933eb4f0471333bcfe9cde1f7b4a6ae9356d358debce023b2fd95c |
|
mod_http2-debugsource-2.0.26-6.el9_8.1.ppc64le.rpm
|
SHA-256: f7046d967f69852b0451452d296b2538f310c6ab29ae06c342ac5e3b91211cc0 |
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.8
| SRPM |
|
mod_http2-2.0.26-6.el9_8.1.src.rpm
|
SHA-256: 8552f39060879a5786514dd319de29b008bc6bbf477c7de7076f466813cd137b |
| ppc64le |
|
mod_http2-2.0.26-6.el9_8.1.ppc64le.rpm
|
SHA-256: 4123bb7d92c8589a2a182fcd0c5bebdb01c1474872a1db5c6582abcc934e07fa |
|
mod_http2-debuginfo-2.0.26-6.el9_8.1.ppc64le.rpm
|
SHA-256: 619826399a933eb4f0471333bcfe9cde1f7b4a6ae9356d358debce023b2fd95c |
|
mod_http2-debugsource-2.0.26-6.el9_8.1.ppc64le.rpm
|
SHA-256: f7046d967f69852b0451452d296b2538f310c6ab29ae06c342ac5e3b91211cc0 |
Red Hat Enterprise Linux for ARM 64 9
| SRPM |
|
mod_http2-2.0.26-6.el9_8.1.src.rpm
|
SHA-256: 8552f39060879a5786514dd319de29b008bc6bbf477c7de7076f466813cd137b |
| aarch64 |
|
mod_http2-2.0.26-6.el9_8.1.aarch64.rpm
|
SHA-256: a78593737889274f667272089a807c31b3f0371d6749567b60b3f7cb9e7069ee |
|
mod_http2-debuginfo-2.0.26-6.el9_8.1.aarch64.rpm
|
SHA-256: b2d3957ccba788c871e505f78d7dbf3006737258b54fb5eacb1d5458968bc862 |
|
mod_http2-debugsource-2.0.26-6.el9_8.1.aarch64.rpm
|
SHA-256: 357f7854869781383672f26265822f6d230afc709fa957b707f138aae8318a92 |
Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.8
| SRPM |
|
mod_http2-2.0.26-6.el9_8.1.src.rpm
|
SHA-256: 8552f39060879a5786514dd319de29b008bc6bbf477c7de7076f466813cd137b |
| aarch64 |
|
mod_http2-2.0.26-6.el9_8.1.aarch64.rpm
|
SHA-256: a78593737889274f667272089a807c31b3f0371d6749567b60b3f7cb9e7069ee |
|
mod_http2-debuginfo-2.0.26-6.el9_8.1.aarch64.rpm
|
SHA-256: b2d3957ccba788c871e505f78d7dbf3006737258b54fb5eacb1d5458968bc862 |
|
mod_http2-debugsource-2.0.26-6.el9_8.1.aarch64.rpm
|
SHA-256: 357f7854869781383672f26265822f6d230afc709fa957b707f138aae8318a92 |
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.8
| SRPM |
|
mod_http2-2.0.26-6.el9_8.1.src.rpm
|
SHA-256: 8552f39060879a5786514dd319de29b008bc6bbf477c7de7076f466813cd137b |
| ppc64le |
|
mod_http2-2.0.26-6.el9_8.1.ppc64le.rpm
|
SHA-256: 4123bb7d92c8589a2a182fcd0c5bebdb01c1474872a1db5c6582abcc934e07fa |
|
mod_http2-debuginfo-2.0.26-6.el9_8.1.ppc64le.rpm
|
SHA-256: 619826399a933eb4f0471333bcfe9cde1f7b4a6ae9356d358debce023b2fd95c |
|
mod_http2-debugsource-2.0.26-6.el9_8.1.ppc64le.rpm
|
SHA-256: f7046d967f69852b0451452d296b2538f310c6ab29ae06c342ac5e3b91211cc0 |
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.8
| SRPM |
|
mod_http2-2.0.26-6.el9_8.1.src.rpm
|
SHA-256: 8552f39060879a5786514dd319de29b008bc6bbf477c7de7076f466813cd137b |
| x86_64 |
|
mod_http2-2.0.26-6.el9_8.1.x86_64.rpm
|
SHA-256: ee38b8dafc25b54e4298cc4efe524d846ddcb26cf4c22be69392befca5924881 |
|
mod_http2-debuginfo-2.0.26-6.el9_8.1.x86_64.rpm
|
SHA-256: 0c761e4e93b9e26d3e1b5680503c6d1ea8e3798627028ebb5da5b2f80975748e |
|
mod_http2-debugsource-2.0.26-6.el9_8.1.x86_64.rpm
|
SHA-256: 70f8b5ceab4a82b9f82d704bfacccb4c7f03acc6b77a6087b3ff923c5b9ce411 |
Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.8
| SRPM |
|
mod_http2-2.0.26-6.el9_8.1.src.rpm
|
SHA-256: 8552f39060879a5786514dd319de29b008bc6bbf477c7de7076f466813cd137b |
| aarch64 |
|
mod_http2-2.0.26-6.el9_8.1.aarch64.rpm
|
SHA-256: a78593737889274f667272089a807c31b3f0371d6749567b60b3f7cb9e7069ee |
|
mod_http2-debuginfo-2.0.26-6.el9_8.1.aarch64.rpm
|
SHA-256: b2d3957ccba788c871e505f78d7dbf3006737258b54fb5eacb1d5458968bc862 |
|
mod_http2-debugsource-2.0.26-6.el9_8.1.aarch64.rpm
|
SHA-256: 357f7854869781383672f26265822f6d230afc709fa957b707f138aae8318a92 |
Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.8
| SRPM |
|
mod_http2-2.0.26-6.el9_8.1.src.rpm
|
SHA-256: 8552f39060879a5786514dd319de29b008bc6bbf477c7de7076f466813cd137b |
| s390x |
|
mod_http2-2.0.26-6.el9_8.1.s390x.rpm
|
SHA-256: 6f8c2f6b7cf1484ea3ab4e6ac2b7c2bc4eda24435820737444fed15f41f44ca8 |
|
mod_http2-debuginfo-2.0.26-6.el9_8.1.s390x.rpm
|
SHA-256: 16ee3cd220c6575f152cac0a9e7f79442dfa4d7018d7c12d906f1d4e562f7467 |
|
mod_http2-debugsource-2.0.26-6.el9_8.1.s390x.rpm
|
SHA-256: 5c314ac284f615335820c635b004334269210d98c7ede936d317d8449c9b7ca6 |
Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.8
| SRPM |
|
mod_http2-2.0.26-6.el9_8.1.src.rpm
|
SHA-256: 8552f39060879a5786514dd319de29b008bc6bbf477c7de7076f466813cd137b |
| x86_64 |
|
mod_http2-2.0.26-6.el9_8.1.x86_64.rpm
|
SHA-256: ee38b8dafc25b54e4298cc4efe524d846ddcb26cf4c22be69392befca5924881 |
|
mod_http2-debuginfo-2.0.26-6.el9_8.1.x86_64.rpm
|
SHA-256: 0c761e4e93b9e26d3e1b5680503c6d1ea8e3798627028ebb5da5b2f80975748e |
|
mod_http2-debugsource-2.0.26-6.el9_8.1.x86_64.rpm
|
SHA-256: 70f8b5ceab4a82b9f82d704bfacccb4c7f03acc6b77a6087b3ff923c5b9ce411 |
Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.8
| SRPM |
|
mod_http2-2.0.26-6.el9_8.1.src.rpm
|
SHA-256: 8552f39060879a5786514dd319de29b008bc6bbf477c7de7076f466813cd137b |
| aarch64 |
|
mod_http2-2.0.26-6.el9_8.1.aarch64.rpm
|
SHA-256: a78593737889274f667272089a807c31b3f0371d6749567b60b3f7cb9e7069ee |
|
mod_http2-debuginfo-2.0.26-6.el9_8.1.aarch64.rpm
|
SHA-256: b2d3957ccba788c871e505f78d7dbf3006737258b54fb5eacb1d5458968bc862 |
|
mod_http2-debugsource-2.0.26-6.el9_8.1.aarch64.rpm
|
SHA-256: 357f7854869781383672f26265822f6d230afc709fa957b707f138aae8318a92 |
Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.8
| SRPM |
|
mod_http2-2.0.26-6.el9_8.1.src.rpm
|
SHA-256: 8552f39060879a5786514dd319de29b008bc6bbf477c7de7076f466813cd137b |
| ppc64le |
|
mod_http2-2.0.26-6.el9_8.1.ppc64le.rpm
|
SHA-256: 4123bb7d92c8589a2a182fcd0c5bebdb01c1474872a1db5c6582abcc934e07fa |
|
mod_http2-debuginfo-2.0.26-6.el9_8.1.ppc64le.rpm
|
SHA-256: 619826399a933eb4f0471333bcfe9cde1f7b4a6ae9356d358debce023b2fd95c |
|
mod_http2-debugsource-2.0.26-6.el9_8.1.ppc64le.rpm
|
SHA-256: f7046d967f69852b0451452d296b2538f310c6ab29ae06c342ac5e3b91211cc0 |
Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.8
| SRPM |
|
mod_http2-2.0.26-6.el9_8.1.src.rpm
|
SHA-256: 8552f39060879a5786514dd319de29b008bc6bbf477c7de7076f466813cd137b |
| s390x |
|
mod_http2-2.0.26-6.el9_8.1.s390x.rpm
|
SHA-256: 6f8c2f6b7cf1484ea3ab4e6ac2b7c2bc4eda24435820737444fed15f41f44ca8 |
|
mod_http2-debuginfo-2.0.26-6.el9_8.1.s390x.rpm
|
SHA-256: 16ee3cd220c6575f152cac0a9e7f79442dfa4d7018d7c12d906f1d4e562f7467 |
|
mod_http2-debugsource-2.0.26-6.el9_8.1.s390x.rpm
|
SHA-256: 5c314ac284f615335820c635b004334269210d98c7ede936d317d8449c9b7ca6 |
