Apache HTTP Server Panics When Receiving Invalid HTTP/2 Frames

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.5

Apache HTTP Server Panics When Receiving Invalid HTTP/2 Frames

CVE-2026-27141

Summary

Apache HTTP Server may crash when receiving certain HTTP/2 frames. This can happen when a malicious user sends specific, unusual HTTP/2 data to the server. To protect your server, update to the latest version of Apache HTTP Server.

Original title

Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic

Original description

Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic

nvd CVSS3.1 7.5

Vulnerability type

CWE-476 NULL Pointer Dereference

https://go.dev/cl/746180
https://go.dev/issue/77652
https://nvd.nist.gov/vuln/detail/CVE-2026-27141
https://pkg.go.dev/vuln/GO-2026-4559

Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026