Medium

Apache HTTP Server mod_http2 worker-thread starvation DoS

IdentifiersCVE-2016-1546CWE-400

Apache HTTP Server 2.4.17 and 2.4.18 are vulnerable to a denial-of-service condition in HTTP/2 processing when mod_http2 is enabled. The flaw is caused by the server not limiting the number of simultaneous stream workers that can be consumed by a single HTTP/2 connection. A remote attacker can manipulate HTTP/2 flow-control windows so that stream-processing resources remain occupied, leading to worker-thread starvation for that connection and degrading or preventing normal request handling. The issue is described as a Slowloris-style HTTP/2 exhaustion problem tied to manipulated flow-control windows.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause denial of service by exhausting or starving stream-processing worker resources in Apache httpd. This can lead to stream-processing outages, reduced capacity to serve legitimate clients, and potentially broader service unavailability depending on deployment size and concurrency limits.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, disable HTTP/2 support or mod_http2 on exposed Apache httpd instances where feasible. Reducing exposure of HTTP/2 services, placing the service behind infrastructure that can enforce connection and request-rate controls, and tuning limits related to slow clients and per-connection resource consumption may reduce exploitability, but the authoritative mitigation in the provided context is to patch or disable HTTP/2/mod_http2.

Remediation

Patch, then assume compromise.

Upgrade Apache HTTP Server to a fixed release that restricts the number of concurrent stream workers per connection when mod_http2 is enabled. The provided context indicates the fix was to restrict the number of concurrent stream workers per connection if the client is slow.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Apache Software FoundationHttp Serverapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

socprime blogNews

Jun 5, 2026

CVE-2026-49975: HTTP/2 Bomb DoS Attack

An HTTP/2 Slowloris-style denial-of-service issue tied to continuation frames and manipulated flow-control windows.

Jun 4, 2026

OpenAI's Codex chains decade-old DoS techniques into HTTP/2 Bomb

A Slowloris-style denial-of-service issue involving keeping legitimate connections open as long as possible to exhaust server resources.

the hacker newsNews

Jun 3, 2026

New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare

A denial-of-service vulnerability involving worker-thread starvation in Apache HTTP Server over an HTTP/2 connection.

cyber security newsNews

Jun 3, 2026

HTTP/2 Bomb - Remote DoS Exploit Hits nginx, Apache, IIS, Envoy, and Cloudflare Pingora

A prior related vulnerability referenced in connection with HTTP/2/HPACK denial-of-service issues.

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2016-1546

NVD

nvd.nist.gov/vuln/detail/CVE-2016-1546

MITRE CWE · CWE-400

cwe.mitre.org

Patch

httpd.apache.org/security/vulnerabilities_24.html

svn.apache.org

svn.apache.org/viewvc?view=revision&revision=1733727

apache.org

apache.org/dist/httpd/CHANGES_2.4

oracle.com

oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

oracle.com

oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html

securityfocus.com

securityfocus.com/bid/92331

access.redhat.com

access.redhat.com/errata/RHSA-2017:1161

lists.apache.org

lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E

lists.apache.org

lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E

+12 more references

view more in app