NULL pointer dereference in Apache Software Foundation Http Server
CVE-2021-31618
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP res…
EPSS: 0.512 (98.8th percentile) — read the EPSS interpretation.
Affected products
- Apache Software Foundation Http Server — versions 2.4.47
Weakness classification (CWE)
Public proof-of-concept exploits
References
- httpd.apache.org/security/vulnerabilities_24.html
- [oss-security] 20210609 CVE-2021-31618: Apache httpd: NULL pointer dereference on specially crafted HTTP/2 request (mailing-list)
- seclists.org/oss-sec/2021/q2/206
- [httpd-cvs] 20210615 svn commit: r1890801 - /httpd/site/trunk/content/security/json/CVE-2021-31618.json (mailing-list)
- [httpd-cvs] 20210615 svn commit: r1075782 - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_24.html (mailing-list)
- FEDORA-2021-051639aad4 (vendor-advisory)
- FEDORA-2021-181f29c392 (vendor-advisory)
- [debian-lts-announce] 20210709 [SECURITY] [DLA 2706-1] apache2 security update (mailing-list)
- DSA-4937 (vendor-advisory)
- GLSA-202107-38 (vendor-advisory)
Frequently asked questions
- What is CVE-2021-31618?
- CVE-2021-31618 is a vulnerability in Apache Software Foundation Http Server, classified under NULL Pointer Dereference. Published 2021-06-15.
- Is CVE-2021-31618 known to be exploited?
- 8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.