Your submission was sent successfully! Close

CVE-2019-10082

Published: 14 August 2019

In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown.

Notes

AuthorNote
sbeattie
apache2 2.4.18 to 2.4.39
apache 2.4.18 in xenial does not build mod_http2

Mitigation

Unpatched servers can disable the h2/h2c protocol.
Priority

Low

CVSS 3 base score: 9.1

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian
bionic
Released (2.4.29-1ubuntu4.10)
disco
Released (2.4.38-2ubuntu2.2)
precise Not vulnerable
(code not present)
trusty Not vulnerable
(code not present)
upstream
Released (2.4.41-1)
xenial Not vulnerable
(code not built)