Published: 14 August 2019
In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown.
apache2 2.4.18 to 2.4.39 apache 2.4.18 in xenial does not build mod_http2
Unpatched servers can disable the h2/h2c protocol.
Severity score breakdown