mod_http2 (AlmaLinux:9) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the AlmaLinux:9 package mod_http2, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (9)
CVE-2023-25690 — CVSS 9.8 (critical): Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are…
CVE-2023-43622 — CVSS 7.5 (high): An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in…
CVE-2024-27316 — CVSS 7.5 (high): HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a…
CVE-2026-49975 — CVSS 7.5 (high): Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP…
CVE-2025-49630 — CVSS 7.5 (high): In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered…
CVE-2025-53020 — CVSS 7.5 (high): Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up…
CVE-2023-45802 — CVSS 5.9 (medium): When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed…
CVE-2024-36387 — CVSS 5.4 (medium): Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server…