CVE-2026-49975: Remote Denial of Service via HTTP/2 HPACK Cookie Memory Amplification in Apache HTTP Server
Vulnerability ID: CVE-2026-49975
CVSS Score: 7.5
Published: 2026-06-08
CVE-2026-49975 describes a high-severity remote Denial of Service (DoS) vulnerability in the Apache HTTP Server's mod_http2 module. Unauthenticated attackers can exploit the HPACK compression and cookie-merging behavior to trigger severe, quadratic memory allocation. This resource exhaustion is maintained by manipulating the HTTP/2 flow-control window, ultimately forcing an Out-of-Memory condition on the server host.
TL;DR
A memory amplification bug in Apache's mod_http2 allows remote unauthenticated attackers to exhaust server RAM using small HTTP/2 header streams, causing a Denial of Service.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-789
- Attack Vector: Network
- CVSS Score: 7.5 (High)
- EPSS Score: 0.01313
- EPSS Percentile: 66.94%
- Impact: Remote Denial of Service
- Exploit Status: Proof-of-Concept Available
- CISA KEV Status: Not Listed
Affected Systems
- Apache HTTP Server (mod_http2)
-
Apache HTTP Server (mod_http2): 2.4.17 through 2.4.67 (Fixed in:
2.4.68)
Code Analysis
Commit: 35c6e40
Fix memory allocation amplification in mod_http2 HPACK cookie parsing
--- a/mod_http2/h2_util.c\n+++ b/mod_http2/h2_util.c\n@@ -1708,6 +1708,8 @@ static apr_status_t req_add_header(apr_table_t *headers, apr_pool_t *pool,\n && !ap_cstr_casecmpn(\"cookie\", (const char *)nv->name, nv->namelen)) {\n existing = apr_table_get(headers, \"cookie\");\n if (existing) {\n+\t if (!nv->valuelen)\n+\t return APR_SUCCESS;\n /* Cookie header come separately in HTTP/2, but need\n * to be merged by \"; \" (instead of default \", \")\n */\n@@ -1719,6 +1721,8 @@ static apr_status_t req_add_header(apr_table_t *headers, apr_pool_t *pool,\n apr_table_setn(headers, \"Cookie\",\n apr_psprintf(pool, \"%s; %.*s\", existing,\n (int)nv->valuelen, nv->value));\n+\t /* Treat the merge as an \"add\" to not escape LimitRequestFields */\n+\t *pwas_added = 1;\n return APR_SUCCESS;\n }
Exploit Details
- GitHub (mrx-arafat): Multi-stream Python script utilizing TLS targeting classic and nginx modes.
- GitHub (EQSTLab): Local h2c cleartext Python script estimating memory amplification.
- GitHub (LSG-PolarBear): GUI-based proof of concept exploit repository for CVE-2026-49975.
Mitigation Strategies
- Upgrade to Apache HTTP Server 2.4.68 or later
- Upgrade mod_http2 to standalone version 2.0.41 or higher
- Disable HTTP/2 support to fall back to HTTP/1.1
- Implement operating system or container memory boundaries on worker processes
Remediation Steps:
- Identify affected server configurations by verifying HTTP/2 status and server version via command-line curl tools.
- Apply upstream package updates using default system package managers or compile the latest source distribution of httpd.
- If immediate patching is not possible, edit httpd.conf or ssl.conf to limit protocols explicitly to http/1.1.
- Apply systemd MemoryMax parameters or run Docker containers with enforced memory and swap limits to prevent system-wide lockups.
- Verify the remediation by running automated validation scripts against the newly modified hosts.
References
- CVE Official Record
- Apache HTTP Server Security Advisories
- Upstream Bugfix Commit
- Calif.IO HTTP/2 Bomb Discovery Blog
- OSS-Security List Disclosure
- OSS-Security Official Announcement
- Debian Security Announcement
- mrx-arafat Proof-of-Concept Exploit
- EQSTLab PoC Repository
- LSG-PolarBear PoC Exploit
Read the full report for CVE-2026-49975 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)