Primary

Context

Apache HTTP Server Late Memory Release Vulnerability in HTTP/2 Module

Vulnerability

Patched

A late release of memory after effective lifetime vulnerability has been identified in the HTTP/2 module of Apache HTTP Server. This issue affects versions 2.4.17 prior to 2.4.63. The vulnerability can lead to a denial-of-service condition by causing memory exhaustion.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by exhausting memory resources, which can lead to server crashes or degraded performance.

Reproduction

The vulnerability can be reproduced by sending a series of HTTP/2 requests that reset the stream (RST frame) and then send new requests, effectively keeping the connection open and busy. This can be done using a custom HTTP/2 client that simulates this behavior.

Remediation

Users are advised to upgrade to Apache HTTP Server version 2.4.64, which addresses this vulnerability.

Added: Jul 10, 2025, 5:19 PM

Updated: Jul 10, 2025, 5:19 PM

Vulnerability Rating

Custom Algorithm

spread

9.4

impact

2.5

exploitability

7.9

remediation

7.7

relevance

0.3

threat

1.7

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

9.4

impact

2.5

exploitability

7.9

remediation

7.7

relevance

0.3

threat

1.7

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache HTTP Server Late Memory Release Vulnerability in HTTP/2 Module

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Apache HTTP Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating