VIR Vulnerability Intelligence Relay

CVE-2025-53020

high
Published 2026-06-01 ยท Modified 2026-06-01
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
8.0

Description

RHSA-2026:22140: httpd:2.4 security update (Important)

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata โ€” Red Hat Inc. ยท View original โ†— ยท Open-Errata-API

Description mod_http2: Apache HTTP Server: HTTP/2 DoS by Memory Increase Red Hat statement The attack surface can be reduced by disabling HTTP/2 support in Apache. Follow the guidance in Red Hat KCS article to: - Remove h2 and h2c from the Protocols directive - Disable mod_http2 and mod_proxy_http2 modules (if not required) https://access.redhat.com/node/7056356 CVSS v3: 5.3โ€ฆ

Description

mod_http2: Apache HTTP Server: HTTP/2 DoS by Memory Increase

Red Hat statement

The attack surface can be reduced by disabling HTTP/2 support in Apache. Follow the guidance in Red Hat KCS article to: - Remove h2 and h2c from the Protocols directive - Disable mod_http2 and mod_proxy_http2 modules (if not required) https://access.redhat.com/node/7056356

CVSS v3: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Package state

ProductPackageState
Red Hat Enterprise Linux 10mod_http2Affected
Red Hat Enterprise Linux 6httpdNot affected
Red Hat Enterprise Linux 7httpdNot affected
Red Hat Enterprise Linux 8httpd:2.4/mod_http2Affected
Red Hat Enterprise Linux 9mod_http2Affected
Red Hat JBoss Core Servicesjbcs-httpd24-httpdAffected

Affected

VendorProductVersion
redhatRed Hat Enterprise Linux 10Affected
redhatRed Hat Enterprise Linux 6Not affected
redhatRed Hat Enterprise Linux 7Not affected
redhatRed Hat Enterprise Linux 8Affected
redhatRed Hat Enterprise Linux 9Affected
redhatRed Hat JBoss Core ServicesAffected

OS impact
OSVersionStatusFixed in
debian debianbookwormfixed2.4.65-1~deb12u1
debian debianbullseyefixed2.4.65-1~deb11u1
debian debianforkyfixed2.4.64-1
debian debiansidfixed2.4.64-1
debian debiantrixiefixed2.4.64-1
suse slesaffected
redhat rhel8fixed

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.