{}

{}

{}

{"bugzilla": {"description": "httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack", "id": "2485371", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2485371"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-409", "details": ["A flaw was found in HTTP/2, affecting various web servers. A remote attacker can exploit this vulnerability by combining an HPACK compression bomb with a zero-byte flow-control window. This technique allows a small amount of data to expand into large memory allocations on the server, which are then held, leading to a denial of service (DoS) by rendering the server inaccessible."], "mitigation": {"lang": "en:us", "value": "There's no current mitigation for Apache's httpd server other than disabling HTTP/2 support for the VirtualHost. This is achieved by adding the following line into the configuration of a given virtual host:\n~~~\nProtocols http/1.1\n~~~\nAfter the change is in place the `httpd` service need to be restarted by running:\n~~~\nsystemctl restart httpd\n~~~\nNotice this change will force the httpd to only support HTTPv1.1 protocol."}, "name": "CVE-2026-49975", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Under investigation", "package_name": "openshift-service-mesh/proxyv2-rhel9", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Under investigation", "package_name": "openshift-service-mesh/istio-proxyv2-rhel9", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "mod_http2", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "mod_http2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "mod_http2", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "httpd", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:insights_proxy:1", "fix_state": "Affected", "package_name": "insights-proxy/insights-proxy-container-rhel9", "product_name": "Red Hat Lightspeed proxy 1"}], "public_date": "2026-06-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-49975\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-49975\nhttps://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb"], "statement": "There's and important denial-of-service vulnerability affecting the Apache's `httpd` HTTP/2 protocol implementation. An unauthenticated remote attacker can exploit this flaw by combining HPACK compression with flow control manipulation, leading to significant server memory exhaustion and rendering the service inaccessible. This vulnerability exists in default HTTP/2 configurations.", "threat_severity": "Important"}

{"created": "2026-06-06T02:00:10.398862+00:00", "updated": "2026-06-06T02:00:10.398875+00:00", "vendors": []}