CVE-2026-49975
Publication date 3 June 2026
Last updated 18 June 2026
Ubuntu priority
Description
Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| nginx | 26.04 LTS resolute |
Fixed 1.28.3-2ubuntu1.5
|
| 25.10 questing |
Fixed 1.28.0-6ubuntu1.7
|
|
| 24.04 LTS noble |
Fixed 1.24.0-2ubuntu7.12
|
|
| 22.04 LTS jammy |
Fixed 1.18.0-6ubuntu14.15
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty |
Needs evaluation
|
|
| apache2 | 26.04 LTS resolute |
Fixed 2.4.66-2ubuntu2.2
|
| 25.10 questing |
Fixed 2.4.64-1ubuntu3.5
|
|
| 24.04 LTS noble |
Fixed 2.4.58-1ubuntu8.13
|
|
| 22.04 LTS jammy |
Fixed 2.4.52-1ubuntu4.21
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty |
Needs evaluation
|
Notes
mdeslaur
nginx fixed this by releasing 1.29.8 with a max_headers directive with a default of 1000. They did not mention this release on their security page, and did not assign an nginx specific CVE to this issue. The nginx fix for this issue breaks ABI and introduced a regression causing nginx to crash when being used with external modules. The CVE fix was reverted in 8398-2. USN-8398-3 provided a complete fix for this issue.
Severity score breakdown
CVSS version: CVSS v3.0
Base score
7.5 · High
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
Related Ubuntu Security Notices (USN)
- USN-8384-1
- Apache HTTP Server vulnerability
- 4 June 2026
- USN-8398-1
- nginx vulnerability
- 8 June 2026
- USN-8398-3
- nginx vulnerability
- 15 June 2026