Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 09 Jun 2021 23:11:00 +0200
From: Christophe JAILLET <>
Subject: CVE-2021-31618: Apache httpd: NULL pointer dereference on specially crafted HTTP/2 request

CVE-2021-31618: NULL pointer dereference on specially crafted HTTP/2 request

Severity: important

Vendor: The Apache Software Foundation

Versions Affected:
Apache HTTP Server 2.4.47
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected.

This rejection response was not fully initialised in the HTTP/2 protocol handler if the offending header was the very first one received or appeared in a a footer. This led to a NULL pointer dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS the server.

This affected versions prior to 2.4.47


Apache HTTP server would like to thank  LI ZHI XIN from NSFocus for reporting this.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.