HTTP/2 Bomb - CVE-2026-49975

mtindor

• June 04, 2026 00:41

Is anybody at cPanel working on this one?   Just curious.

A DDOS / resource exhaustion deal . Supposedly can exhausted a 32 GB running Apache 2.4.67 of memory in 18 seconds.

I don't know of links to other sites are allowed, so just google CVE-2026-49975

Cpanel:  What do ya know?

cPRex ? 

• 

  cPRex Jurassic Moderator

  • June 04, 2026 02:31

  Hey there!  We're not currently working on this one..............because we released a patch a few hours ago :)

  https://docs.cpanel.net/changelogs/easyapache-4-change-log-25/

  • EA-13454: Update ea-apache24 from v2.4.67-2 to v2.4.67-3.
  • (CVE-2026-49975) Security: HTTP/2 Bomb - cookie headers bypass LimitRequestFields allowing remote memory exhaustion via mod_http2.

  0
• 

  Ioannis Savvopoulos

  • June 04, 2026 07:34
  • Edited

  We haven't received any patch yet.
  The one installed at the moment is 2.4.67-1 from the repo cl-ea4-testing, and on yum update, I get:

  Dependencies resolved.
  Nothing to do.
  Complete!
  
  What's the recommended procedure here? I assume we have to wait for CloudLinux to release the new version?

  0
• 

  cPRex Jurassic Moderator

  • June 04, 2026 12:53

  If you're using CloudLinux you'll have to wait just a bit while they get those packages released on their end.

  0
• 

  mtindor

  • June 05, 2026 00:10

  Your mileage may vary, but if your running Cloudlinux, there are updates in their testing repo now.  I had a ticket open with CL.

  ========================

  Hello Mike,
   
  Thank you for your patience!
   
  The patched version has been released, and it's available in our beta repository. To update, please run:

  dnf update ea-apache24 --enablerepo=cl-ea4-testing

   
  We are here to help, so please don't hesitate to reach out if you need further assistance.

  =============

  I had no problem updating all of my machines using those instructions.

   

  0

Please sign in to leave a comment.