CVE-2026-49975
Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP req
CVSS
7.5
Alto
EPSS
11.5%
p96
KEV
—
Exploit Today
29
0-100
Publicado: 8 jun 2026 · Última mod.: 15 jul 2026 · CWE-789 · CWE-409
11.5%EPSS · 30 días11.5%
2026-06-302026-07-16
Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.
- httpd.apache.orghttps://httpd.apache.org/security/vulnerabilities_24.html
- www.openwall.comhttp://www.openwall.com/lists/oss-security/2026/06/03/3
- www.openwall.comhttp://www.openwall.com/lists/oss-security/2026/06/08/16
- lists.debian.orghttps://lists.debian.org/debian-lts-announce/2026/06/msg00009.html
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:25042
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:25057
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:25090
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:25225
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:27114
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:27200
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:27201
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36373
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36831
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36846
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-49975
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2485371
- github.comhttps://github.com/EQSTLab/CVE-2026-49975
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49975.json
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2026-214417.5 ALT84.0%
——25urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.2dCVE-2026-15267.5 ALT63.3%
——19The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.
The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.2dCVE-2026-403787.5 ALT53.5%
——16Memory allocation with excessive size value in Windows Local Security Authority Subsystem Service (LSASS) allows an unauthorized attacker to deny service over a network.5hCVE-2026-477747.5 ALT53.0%
——16Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability in Envoy's HTTP/2 downstream request processing allows an unauthenticated remote client to trigger excessive memory consumption, potentially resulting in OOM termination of the Envoy process and denial of service. The issue arises from the combination of two behaviors. First, cookie header bytes are not fully accounted for during request header size validation in Envoy. Second, HPACK header block limits in oghttp2/quiche are enforced on encoded bytes without a corresponding limit on total decoded header size. Together, these behaviors allow a malicious client to cause large decoded header allocations while bypassing the intended request header size protections. Versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 contain a fix. No complete workaround is known short of applying a fix. Possible temporary mitigations include disabling downstream HTTP/2 where operationally feasible; enforcing stricter request header and cookie limits before traffic reaches Envoy; and monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic.2dCVE-2026-539177.5 ALT52.3%
——16Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Client, Apache ActiveMQ Broker.
An authenticated user can cause a broker DoS by sending a crafted OpenWire Message with a large encoded size value for the map. OpenWire message property maps are unmarshaled without size validation which can trigger OOM and crash the broker.
This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Client: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7.
Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.14dCVE-2026-539167.5 ALT52.3%
——16Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp.
An unauthenticated client that opens a STOMP NIO connection can send header bytes that never terminate which makes the broker buffer them without limit, exhausting the JVM heap.
This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7.
Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.14d