Copyright © 2012 Red Hat, Inc. All rights reserved. Important 2026-06-03T00:00:00 httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-409

Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.

A flaw was found in HTTP/2, affecting various web servers. A remote attacker can exploit this vulnerability by combining an HPACK compression bomb with a zero-byte flow-control window. This technique allows a small amount of data to expand into large memory allocations on the server, which are then held, leading to a denial of service (DoS) by rendering the server inaccessible.

The Apache's `httpd` HTTP/2 protocol implementation has a denial-of-service (DoS) vulnerability that is rated as Important. An unauthenticated remote attacker can exploit this flaw by combining HPACK compression with flow control manipulation, leading to significant server memory exhaustion and rendering the service inaccessible. This vulnerability exists in default HTTP/2 configurations. See the security bulletin for a detailed mitigation procedure. JBoss Core Services for RHEL 8 2026-06-22T00:00:00Z RHSA-2026:27200 jbcs-httpd24-httpd-0:2.4.62-13.el8jbcs JBoss Core Services for RHEL 8 2026-06-22T00:00:00Z RHSA-2026:27200 jbcs-httpd24-mod_http2-0:2.0.29-10.el8jbcs JBoss Core Services on RHEL 7 2026-06-22T00:00:00Z RHSA-2026:27200 jbcs-httpd24-httpd-0:2.4.62-13.el7jbcs JBoss Core Services on RHEL 7 2026-06-22T00:00:00Z RHSA-2026:27200 jbcs-httpd24-mod_http2-0:2.0.29-10.el7jbcs Red Hat Enterprise Linux 10 2026-06-11T00:00:00Z RHSA-2026:25225 mod_http2-0:2.0.29-4.el10_2.1 Red Hat Enterprise Linux 8 2026-06-10T00:00:00Z RHSA-2026:25090 httpd:2.4-8100020260608081321.489197e6 Red Hat Enterprise Linux 9 2026-06-10T00:00:00Z RHSA-2026:25057 mod_http2-0:2.0.26-6.el9_8.1 Red Hat JBoss Core Services 2.4.62.SP4 2026-06-22T00:00:00Z RHSA-2026:27201 jbcs-httpd24-httpd Red Hat JBoss Core Services 2.4.62.SP4 2026-06-22T00:00:00Z RHSA-2026:27201 jbcs-httpd24-mod_http2 Red Hat Hardened Images 2026-06-10T00:00:00Z RHSA-2026:25042 httpd-main-2.4.68-1.hum1 Red Hat OpenShift Service Mesh 2.6 2026-06-18T00:00:00Z RHSA-2026:27114 openshift-service-mesh/proxyv2-rhel9:1781604724 Red Hat JBoss Core Services Not affected jbcs-httpd24-apache-commons-daemon Red Hat JBoss Core Services Not affected jbcs-httpd24-apache-commons-daemon-jsvc Red Hat JBoss Core Services Not affected jbcs-httpd24-apr Red Hat JBoss Core Services Not affected jbcs-httpd24-apr-util Red Hat JBoss Core Services Not affected jbcs-httpd24-brotli Red Hat JBoss Core Services Not affected jbcs-httpd24-compose Red Hat JBoss Core Services Not affected jbcs-httpd24-curl Red Hat JBoss Core Services Not affected jbcs-httpd24-dist Red Hat JBoss Core Services Not affected jbcs-httpd24-jansson Red Hat JBoss Core Services Not affected jbcs-httpd24-mod_cluster-native Red Hat JBoss Core Services Not affected jbcs-httpd24-mod_jk Red Hat JBoss Core Services Not affected jbcs-httpd24-mod_md Red Hat JBoss Core Services Not affected jbcs-httpd24-mod_proxy_cluster Red Hat JBoss Core Services Not affected jbcs-httpd24-mod_security Red Hat JBoss Core Services Not affected jbcs-httpd24-nghttp2 Red Hat JBoss Core Services Not affected jbcs-httpd24-openssl Red Hat JBoss Core Services Not affected jbcs-httpd24-openssl-chil Red Hat JBoss Core Services Not affected jbcs-httpd24-openssl-pkcs11 Red Hat JBoss Web Server 5 Not affected jbcs-httpd24-apr Red Hat JBoss Web Server 5 Not affected jbcs-httpd24-openssl https://www.cve.org/CVERecord?id=CVE-2026-49975 https://nvd.nist.gov/vuln/detail/CVE-2026-49975 https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb