Red Hat Product Errata RHSA-2026:25225 - Security Advisory
Issued:
2026-06-11
Updated:
2026-06-11

RHSA-2026:25225 - Security Advisory

Synopsis

Important: mod_http2 security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for mod_http2 is now available for Red Hat Enterprise Linux 10.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The mod_h2 Apache httpd module implements the HTTP2 protocol (h2+h2c) on top of libnghttp2 for httpd 2.4 servers.

Security Fix(es):

  • httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack (CVE-2026-49975)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux for x86_64 10 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.2 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 10 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.2 s390x
  • Red Hat Enterprise Linux for Power, little endian 10 ppc64le
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.2 ppc64le
  • Red Hat Enterprise Linux for ARM 64 10 aarch64
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.2 aarch64
  • Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.2 aarch64
  • Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.2 s390x
  • Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.2 ppc64le
  • Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.2 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 10.2 x86_64
  • Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 10.2 aarch64
  • Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 10.2 ppc64le
  • Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 10.2 s390x

Fixes

  • BZ - 2485371 - CVE-2026-49975 httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack

Red Hat Enterprise Linux for x86_64 10

SRPM
mod_http2-2.0.29-4.el10_2.1.src.rpm SHA-256: e258ff599d639150b3a1ee85552543907c0615327552cb43bbb307e684e69c1c
x86_64
mod_http2-2.0.29-4.el10_2.1.x86_64.rpm SHA-256: 5b6945c58999ec2e0a3c2c1a131e1e8a63d9f495c05405a3c8653e376c3d9d5d
mod_http2-debuginfo-2.0.29-4.el10_2.1.x86_64.rpm SHA-256: b4719dd62f5b895be28deeb491048b1ace0ce4ac8f38ba35203d6855916dc74e
mod_http2-debugsource-2.0.29-4.el10_2.1.x86_64.rpm SHA-256: 035fe677b3741021631fd2743398f8af53dd7c1cd5fae3101f5ccee2acc3fbb2

Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.2

SRPM
mod_http2-2.0.29-4.el10_2.1.src.rpm SHA-256: e258ff599d639150b3a1ee85552543907c0615327552cb43bbb307e684e69c1c
x86_64
mod_http2-2.0.29-4.el10_2.1.x86_64.rpm SHA-256: 5b6945c58999ec2e0a3c2c1a131e1e8a63d9f495c05405a3c8653e376c3d9d5d
mod_http2-debuginfo-2.0.29-4.el10_2.1.x86_64.rpm SHA-256: b4719dd62f5b895be28deeb491048b1ace0ce4ac8f38ba35203d6855916dc74e
mod_http2-debugsource-2.0.29-4.el10_2.1.x86_64.rpm SHA-256: 035fe677b3741021631fd2743398f8af53dd7c1cd5fae3101f5ccee2acc3fbb2

Red Hat Enterprise Linux for IBM z Systems 10

SRPM
mod_http2-2.0.29-4.el10_2.1.src.rpm SHA-256: e258ff599d639150b3a1ee85552543907c0615327552cb43bbb307e684e69c1c
s390x
mod_http2-2.0.29-4.el10_2.1.s390x.rpm SHA-256: 0104c918e59f646515c8414ccc41240f69fafa2e19a667f221df6c183eff12aa
mod_http2-debuginfo-2.0.29-4.el10_2.1.s390x.rpm SHA-256: 3e76a374ec0b5a096b4374182d8b2c4c4011d495b70646caf936cfdcff09ee44
mod_http2-debugsource-2.0.29-4.el10_2.1.s390x.rpm SHA-256: ae36050a3fcb7d0eea1f174f36f19363f1f631b138ad3edf35c79779995abe4e

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.2

SRPM
mod_http2-2.0.29-4.el10_2.1.src.rpm SHA-256: e258ff599d639150b3a1ee85552543907c0615327552cb43bbb307e684e69c1c
s390x
mod_http2-2.0.29-4.el10_2.1.s390x.rpm SHA-256: 0104c918e59f646515c8414ccc41240f69fafa2e19a667f221df6c183eff12aa
mod_http2-debuginfo-2.0.29-4.el10_2.1.s390x.rpm SHA-256: 3e76a374ec0b5a096b4374182d8b2c4c4011d495b70646caf936cfdcff09ee44
mod_http2-debugsource-2.0.29-4.el10_2.1.s390x.rpm SHA-256: ae36050a3fcb7d0eea1f174f36f19363f1f631b138ad3edf35c79779995abe4e

Red Hat Enterprise Linux for Power, little endian 10

SRPM
mod_http2-2.0.29-4.el10_2.1.src.rpm SHA-256: e258ff599d639150b3a1ee85552543907c0615327552cb43bbb307e684e69c1c
ppc64le
mod_http2-2.0.29-4.el10_2.1.ppc64le.rpm SHA-256: ea271d781eb2f48e628d9e6ef1d7dd2040042b8f009f30815c5f69a36b364fbe
mod_http2-debuginfo-2.0.29-4.el10_2.1.ppc64le.rpm SHA-256: 40223cced01104e0eba55a26807cfb144bf17dd6fd12c4d4decdd526a0f6f3ae
mod_http2-debugsource-2.0.29-4.el10_2.1.ppc64le.rpm SHA-256: 46043d58a58806f73d4ab37a182523d3ebf05e2da078b84aeb7a9dbfe7b4d3ad

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.2

SRPM
mod_http2-2.0.29-4.el10_2.1.src.rpm SHA-256: e258ff599d639150b3a1ee85552543907c0615327552cb43bbb307e684e69c1c
ppc64le
mod_http2-2.0.29-4.el10_2.1.ppc64le.rpm SHA-256: ea271d781eb2f48e628d9e6ef1d7dd2040042b8f009f30815c5f69a36b364fbe
mod_http2-debuginfo-2.0.29-4.el10_2.1.ppc64le.rpm SHA-256: 40223cced01104e0eba55a26807cfb144bf17dd6fd12c4d4decdd526a0f6f3ae
mod_http2-debugsource-2.0.29-4.el10_2.1.ppc64le.rpm SHA-256: 46043d58a58806f73d4ab37a182523d3ebf05e2da078b84aeb7a9dbfe7b4d3ad

Red Hat Enterprise Linux for ARM 64 10

SRPM
mod_http2-2.0.29-4.el10_2.1.src.rpm SHA-256: e258ff599d639150b3a1ee85552543907c0615327552cb43bbb307e684e69c1c
aarch64
mod_http2-2.0.29-4.el10_2.1.aarch64.rpm SHA-256: 94e2ed14a45877198d4f208e218680be54fe4df94d5f6df713269c665ea595a6
mod_http2-debuginfo-2.0.29-4.el10_2.1.aarch64.rpm SHA-256: 1ae424576eb5e80eda7062b1515c05ec0470131f06e696a50012defa8ab6540b
mod_http2-debugsource-2.0.29-4.el10_2.1.aarch64.rpm SHA-256: 2684a8a793fcd3b58b404caf1c337da9ef42e096ae4073e8f25059d24d3caf3f

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.2

SRPM
mod_http2-2.0.29-4.el10_2.1.src.rpm SHA-256: e258ff599d639150b3a1ee85552543907c0615327552cb43bbb307e684e69c1c
aarch64
mod_http2-2.0.29-4.el10_2.1.aarch64.rpm SHA-256: 94e2ed14a45877198d4f208e218680be54fe4df94d5f6df713269c665ea595a6
mod_http2-debuginfo-2.0.29-4.el10_2.1.aarch64.rpm SHA-256: 1ae424576eb5e80eda7062b1515c05ec0470131f06e696a50012defa8ab6540b
mod_http2-debugsource-2.0.29-4.el10_2.1.aarch64.rpm SHA-256: 2684a8a793fcd3b58b404caf1c337da9ef42e096ae4073e8f25059d24d3caf3f

Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.2

SRPM
mod_http2-2.0.29-4.el10_2.1.src.rpm SHA-256: e258ff599d639150b3a1ee85552543907c0615327552cb43bbb307e684e69c1c
aarch64
mod_http2-2.0.29-4.el10_2.1.aarch64.rpm SHA-256: 94e2ed14a45877198d4f208e218680be54fe4df94d5f6df713269c665ea595a6
mod_http2-debuginfo-2.0.29-4.el10_2.1.aarch64.rpm SHA-256: 1ae424576eb5e80eda7062b1515c05ec0470131f06e696a50012defa8ab6540b
mod_http2-debugsource-2.0.29-4.el10_2.1.aarch64.rpm SHA-256: 2684a8a793fcd3b58b404caf1c337da9ef42e096ae4073e8f25059d24d3caf3f

Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.2

SRPM
mod_http2-2.0.29-4.el10_2.1.src.rpm SHA-256: e258ff599d639150b3a1ee85552543907c0615327552cb43bbb307e684e69c1c
s390x
mod_http2-2.0.29-4.el10_2.1.s390x.rpm SHA-256: 0104c918e59f646515c8414ccc41240f69fafa2e19a667f221df6c183eff12aa
mod_http2-debuginfo-2.0.29-4.el10_2.1.s390x.rpm SHA-256: 3e76a374ec0b5a096b4374182d8b2c4c4011d495b70646caf936cfdcff09ee44
mod_http2-debugsource-2.0.29-4.el10_2.1.s390x.rpm SHA-256: ae36050a3fcb7d0eea1f174f36f19363f1f631b138ad3edf35c79779995abe4e

Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.2

SRPM
mod_http2-2.0.29-4.el10_2.1.src.rpm SHA-256: e258ff599d639150b3a1ee85552543907c0615327552cb43bbb307e684e69c1c
ppc64le
mod_http2-2.0.29-4.el10_2.1.ppc64le.rpm SHA-256: ea271d781eb2f48e628d9e6ef1d7dd2040042b8f009f30815c5f69a36b364fbe
mod_http2-debuginfo-2.0.29-4.el10_2.1.ppc64le.rpm SHA-256: 40223cced01104e0eba55a26807cfb144bf17dd6fd12c4d4decdd526a0f6f3ae
mod_http2-debugsource-2.0.29-4.el10_2.1.ppc64le.rpm SHA-256: 46043d58a58806f73d4ab37a182523d3ebf05e2da078b84aeb7a9dbfe7b4d3ad

Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.2

SRPM
mod_http2-2.0.29-4.el10_2.1.src.rpm SHA-256: e258ff599d639150b3a1ee85552543907c0615327552cb43bbb307e684e69c1c
x86_64
mod_http2-2.0.29-4.el10_2.1.x86_64.rpm SHA-256: 5b6945c58999ec2e0a3c2c1a131e1e8a63d9f495c05405a3c8653e376c3d9d5d
mod_http2-debuginfo-2.0.29-4.el10_2.1.x86_64.rpm SHA-256: b4719dd62f5b895be28deeb491048b1ace0ce4ac8f38ba35203d6855916dc74e
mod_http2-debugsource-2.0.29-4.el10_2.1.x86_64.rpm SHA-256: 035fe677b3741021631fd2743398f8af53dd7c1cd5fae3101f5ccee2acc3fbb2

Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 10.2

SRPM
mod_http2-2.0.29-4.el10_2.1.src.rpm SHA-256: e258ff599d639150b3a1ee85552543907c0615327552cb43bbb307e684e69c1c
x86_64
mod_http2-2.0.29-4.el10_2.1.x86_64.rpm SHA-256: 5b6945c58999ec2e0a3c2c1a131e1e8a63d9f495c05405a3c8653e376c3d9d5d
mod_http2-debuginfo-2.0.29-4.el10_2.1.x86_64.rpm SHA-256: b4719dd62f5b895be28deeb491048b1ace0ce4ac8f38ba35203d6855916dc74e
mod_http2-debugsource-2.0.29-4.el10_2.1.x86_64.rpm SHA-256: 035fe677b3741021631fd2743398f8af53dd7c1cd5fae3101f5ccee2acc3fbb2

Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 10.2

SRPM
mod_http2-2.0.29-4.el10_2.1.src.rpm SHA-256: e258ff599d639150b3a1ee85552543907c0615327552cb43bbb307e684e69c1c
aarch64
mod_http2-2.0.29-4.el10_2.1.aarch64.rpm SHA-256: 94e2ed14a45877198d4f208e218680be54fe4df94d5f6df713269c665ea595a6
mod_http2-debuginfo-2.0.29-4.el10_2.1.aarch64.rpm SHA-256: 1ae424576eb5e80eda7062b1515c05ec0470131f06e696a50012defa8ab6540b
mod_http2-debugsource-2.0.29-4.el10_2.1.aarch64.rpm SHA-256: 2684a8a793fcd3b58b404caf1c337da9ef42e096ae4073e8f25059d24d3caf3f

Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 10.2

SRPM
mod_http2-2.0.29-4.el10_2.1.src.rpm SHA-256: e258ff599d639150b3a1ee85552543907c0615327552cb43bbb307e684e69c1c
ppc64le
mod_http2-2.0.29-4.el10_2.1.ppc64le.rpm SHA-256: ea271d781eb2f48e628d9e6ef1d7dd2040042b8f009f30815c5f69a36b364fbe
mod_http2-debuginfo-2.0.29-4.el10_2.1.ppc64le.rpm SHA-256: 40223cced01104e0eba55a26807cfb144bf17dd6fd12c4d4decdd526a0f6f3ae
mod_http2-debugsource-2.0.29-4.el10_2.1.ppc64le.rpm SHA-256: 46043d58a58806f73d4ab37a182523d3ebf05e2da078b84aeb7a9dbfe7b4d3ad

Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 10.2

SRPM
mod_http2-2.0.29-4.el10_2.1.src.rpm SHA-256: e258ff599d639150b3a1ee85552543907c0615327552cb43bbb307e684e69c1c
s390x
mod_http2-2.0.29-4.el10_2.1.s390x.rpm SHA-256: 0104c918e59f646515c8414ccc41240f69fafa2e19a667f221df6c183eff12aa
mod_http2-debuginfo-2.0.29-4.el10_2.1.s390x.rpm SHA-256: 3e76a374ec0b5a096b4374182d8b2c4c4011d495b70646caf936cfdcff09ee44
mod_http2-debugsource-2.0.29-4.el10_2.1.s390x.rpm SHA-256: ae36050a3fcb7d0eea1f174f36f19363f1f631b138ad3edf35c79779995abe4e

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.