Apache released HTTP Server version 2.4.68 on June 8, addressing 13 security vulnerabilities across nine modules. The release delivers the first official Apache patch for CVE-2026-49975 — the HTTP/2 “bomb” denial-of-service vulnerability that also affects nginx, Envoy, and Cloudflare and was originally disclosed earlier in June. All Apache HTTP Server installations running versions 2.4.0 through 2.4.67 are vulnerable to at least some of the patched issues.
CVE-2026-49975: Apache 2.4.68 Is the First Official Patch for the HTTP/2 Bomb DoS Flaw
CVE-2026-49975 is a denial-of-service vulnerability exploitable through the HTTP/2 protocol — a flaw that allows an attacker to send a specially crafted sequence of HTTP/2 frames that causes the server to consume disproportionate resources, effectively making it unavailable to legitimate clients. The vulnerability was publicly disclosed on June 3, prior to the Apache 2.4.68 release, meaning Apache HTTP Server deployments worldwide had a period of known exposure without an official patch from the project.
The 2.4.68 release closes this gap, providing administrators running Apache with a vendor-supported fix for CVE-2026-49975. Given the multi-platform scope of the HTTP/2 bomb vulnerability and its documented impact across major web infrastructure components, the availability of an official Apache patch marks a significant remediation milestone.
CVE-2026-49975’s Cross-Platform Scope Affecting nginx, Envoy, and Cloudflare
CVE-2026-49975 is not limited to Apache HTTP Server. nginx, Envoy, and Cloudflare’s edge infrastructure are also affected by the same underlying HTTP/2 protocol behavior, making this a cross-platform denial-of-service vulnerability with broad reach across web server and proxy deployments. Organizations operating multi-vendor web infrastructure should verify patch availability and status across all affected components, not only Apache. The Apache 2.4.68 release addresses the Apache-specific exposure; remediation for nginx, Envoy, and Cloudflare deployments depends on each vendor’s separate patch timeline.
CVE-2026-44119 Privilege Escalation and Two Use-After-Free Flaws in Apache 2.4.68
Beyond CVE-2026-49975, the 2.4.68 release patches three other notable vulnerabilities. CVE-2026-44119 is a moderate-severity privilege escalation flaw in Apache’s .htaccess expression handling — the mechanism that allows per-directory configuration overrides. Misconfigured or attacker-manipulated .htaccess expressions could be leveraged to escalate privileges beyond what a directory configuration should permit.
CVE-2026-29167 is a low-severity use-after-free condition in mod_ldap, the module handling LDAP directory authentication in Apache configurations. CVE-2026-48913 is a separate low-severity use-after-free in mod_http2, the HTTP/2 protocol implementation module. Use-after-free conditions can, under some circumstances, lead to memory corruption or code execution, though both vulnerabilities are currently rated at the low end of the severity scale.
Why All Apache HTTP Server Installations on Versions 2.4.0 Through 2.4.67 Are Affected
The 2.4.68 release addresses vulnerabilities spanning nine different Apache modules, and the affected version range — 2.4.0 through 2.4.67 — encompasses every prior release in the 2.4.x branch. This means there is no prior release that administrators can rely on as safe; the only version that includes all 13 patches is 2.4.68.
How the Nine-Module Vulnerability Scope in Apache 2.4.68 Reflects Web Server Attack Surface
Apache HTTP Server’s modular architecture — in which individual protocol handlers, authentication mechanisms, and configuration tools operate as discrete modules — distributes security risk across those modules independently. The 13 CVEs in this release spanning nine modules illustrate how a complex, widely deployed web server accumulates vulnerability exposure across its components over time. A release that patches a denial-of-service flaw in mod_http2 simultaneously addresses a privilege escalation in expression handling and use-after-free conditions in mod_ldap, reflecting the breadth of the attack surface that administrators must account for in any major Apache update.
Apache HTTP Server remains one of the most widely deployed web servers globally. Its presence in enterprise, cloud, and hosting environments means CVE-2026-49975 and the accompanying 2.4.68 patch are relevant to a substantial portion of active web infrastructure. Administrators should update to 2.4.68 without deferring to a later maintenance window, given the prior public disclosure of CVE-2026-49975 and the availability of the HTTP/2 bomb vulnerability’s technical details.
