HighPublic exploit

Apache HTTP Server mod_http2 CONTINUATION Frame Memory Exhaustion DoS

IdentifiersCVE-2016-8740CWE-400

CVE-2016-8740 is a denial-of-service flaw in Apache HTTP Server's mod_http2 module affecting versions 2.4.17 through 2.4.23 when HTTP/2 is enabled via the Protocols directive including h2 or h2c. In the vulnerable implementation, request-header length is not properly restricted during processing of HTTP/2 CONTINUATION frames. A remote client can send crafted HTTP/2 requests containing excessive or effectively unbounded header continuation data, causing the server to allocate memory without adequate limits. The issue is specifically tied to handling of CONTINUATION frames in an HTTP/2 request and results in resource exhaustion rather than code execution.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

A remote unauthenticated attacker can cause denial of service by driving excessive memory consumption in Apache httpd processes handling HTTP/2 traffic. Successful exploitation can degrade performance, exhaust available memory, and render the service unavailable to legitimate users. The provided context characterizes this as an HTTP/2 Slowloris-style exhaustion issue associated with endless or crafted CONTINUATION frames.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, disable HTTP/2 support in Apache HTTP Server by removing h2/h2c from the Protocols configuration so mod_http2 is not exposed. More generally, restrict exposure of HTTP/2 services, place the server behind infrastructure that can enforce request/header limits, and monitor for abnormal memory growth or abusive HTTP/2 connections.

Remediation

Patch, then assume compromise.

Upgrade Apache HTTP Server to a fixed release newer than the affected range 2.4.17 through 2.4.23. Apply the vendor-provided mod_http2/httpd updates that enforce appropriate limits on HTTP/2 request-header processing and CONTINUATION frame handling.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Apache Software FoundationHttp Serverapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

socprime blogNews

Jun 5, 2026

CVE-2026-49975: HTTP/2 Bomb DoS Attack

An HTTP/2 Slowloris-style denial-of-service issue tied to continuation frames and manipulated flow-control windows.

Jun 4, 2026

OpenAI's Codex chains decade-old DoS techniques into HTTP/2 Bomb

A Slowloris-style denial-of-service issue involving keeping legitimate connections open as long as possible to exhaust server resources.

the hacker newsNews

Jun 3, 2026

New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare

A denial-of-service vulnerability in Apache HTTP Server via crafted CONTINUATION frames in an HTTP/2 connection.

cyber security newsNews

Jun 3, 2026

HTTP/2 Bomb - Remote DoS Exploit Hits nginx, Apache, IIS, Envoy, and Cloudflare Pingora

A prior related vulnerability referenced in connection with HTTP/2/HPACK denial-of-service issues.

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2016-8740

NVD

nvd.nist.gov/vuln/detail/CVE-2016-8740

MITRE CWE · CWE-400

cwe.mitre.org

Patch

github.com/apache/httpd/commit/29c63b786ae028d82405421585e91283c8fa0da3

Third Party Advisory

packetstormsecurity.com/files/140023/Apache-HTTPD-Web-Server-2.4.23-Memory-Exhaustion.html

Third Party Advisory

securityfocus.com/bid/94650

Third Party Advisory

securitytracker.com/id/1037388

Third Party Advisory

exploit-db.com/exploits/40909

rhn.redhat.com

rhn.redhat.com/errata/RHSA-2017-1415.html

access.redhat.com

access.redhat.com/errata/RHSA-2017:1161

access.redhat.com

access.redhat.com/errata/RHSA-2017:1413

access.redhat.com

access.redhat.com/errata/RHSA-2017:1414

+19 more references

view more in app