CVE-2024-27316

CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames

Vendor Apache Software Foundation

Product Apache HTTP Server

Weakness CWE-770 · Uncontrolled resource consumption

Published April 4, 2024

Last update November 4, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.

Key dates

Disclosure timeline

April 4, 2024 CVE published

November 4, 2025 Record updated