{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Apache HTTP Server", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "2.4.67", "status": "affected", "version": "2.4.55", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Sam Lovejoy, IBM X-Force Offensive Research (XOR)" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "

Use After Free vulnerability in Apache HTTP Server module mod_http2 when file handles are already exhausted.

This issue affects Apache HTTP Server: from 2.4.55 through 2.4.67.


" } ], "value": "Use After Free vulnerability in Apache HTTP Server module mod_http2 when file handles are already exhausted.\n\nThis issue affects Apache HTTP Server: from 2.4.55 through 2.4.67." } ], "metrics": [ { "other": { "content": { "text": "low" }, "type": "Textual description of severity" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09" }, "source": { "discovery": "UNKNOWN" }, "timeline": [ { "lang": "en", "time": "2026-05-22T12:00:00.000Z", "value": "reported" }, { "lang": "en", "time": "2026-06-03T12:00:00.000Z", "value": "fixed in 2.4.x by r1934882" }, { "lang": "eng", "time": "2026-06-08T12:00:00.000Z", "value": "2.4.68 released" } ], "title": "mod_http2 memory corruption when file handles exhausted", "x_generator": { "engine": "Vulnogram 0.2.0" }, "references": [ { "tags": [ "vendor-advisory" ], "url": "https://httpd.apache.org/security/vulnerabilities_24.html" } ] } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "cveId": "CVE-2026-48913", "serial": 1, "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "CNA_private": { "emailed": null, "projecturl": null, "owner": "httpd", "state": "DRAFT", "todo": [], "type": "unsure" } }