CVE-2026-48913 PUBLISHED

Apache HTTP Server: mod_http2 memory corruption when file handles exhausted

Assigner: apache
Reserved: 26.05.2026 Published: 08.06.2026 Updated: 08.06.2026

Use After Free vulnerability in Apache HTTP Server module mod_http2 when file handles are already exhausted.

This issue affects Apache HTTP Server: from 2.4.55 through 2.4.67.

Product Status

Vendor Apache Software Foundation
Product Apache HTTP Server
Versions Default: unaffected
  • affected from 2.4.55 to 2.4.67 (incl.)

Credits

  • Sam Lovejoy, IBM X-Force Offensive Research (XOR) finder

References

Problem Types

  • CWE-416 Use After Free CWE