CVE-2025-53020
Description
Important: httpd:2.4 security update
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Description mod_http2: Apache HTTP Server: HTTP/2 DoS by Memory Increase Red Hat statement The attack surface can be reduced by disabling HTTP/2 support in Apache. Follow the guidance in Red Hat KCS article to: - Remove h2 and h2c from the Protocols directive - Disable mod_http2 and mod_proxy_http2 modules (if not required) https://access.redhat.com/node/7056356 CVSS v3: 5.3โฆ
Description
mod_http2: Apache HTTP Server: HTTP/2 DoS by Memory Increase
Red Hat statement
The attack surface can be reduced by disabling HTTP/2 support in Apache. Follow the guidance in Red Hat KCS article to: - Remove h2 and h2c from the Protocols directive - Disable mod_http2 and mod_proxy_http2 modules (if not required) https://access.redhat.com/node/7056356
CVSS v3: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat Enterprise Linux 10 | mod_http2-0:2.0.29-4.el10_2 | RHSA-2026:22528 | 2026-06-03T00:00:00Z |
| Red Hat Enterprise Linux 8 | httpd:2.4-8100020260519200905.489197e6 | RHSA-2026:22140 | 2026-06-01T00:00:00Z |
| Red Hat Enterprise Linux 9 | mod_http2-0:2.0.26-6.el9_8 | RHSA-2026:22551 | 2026-06-03T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 6 | httpd | Not affected |
| Red Hat Enterprise Linux 7 | httpd | Not affected |
| Red Hat JBoss Core Services | jbcs-httpd24-httpd | Affected |
Apply commands
yum update -y mod_http2
# or:
dnf upgrade -y mod_http2Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | Red Hat Enterprise Linux 6 | Not affected |
| redhat | Red Hat Enterprise Linux 7 | Not affected |
| redhat | Red Hat JBoss Core Services | Affected |
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
AlmaLinux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | httpd-filesystem-2.4.37-65.module_el8.10.0+4185+0955a0d7.8.noarch.rpm |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 2.4.64-1 |
| sid | Fixed | 2.4.64-1 |
| forky | Fixed | 2.4.64-1 |
| bullseye | Fixed | 2.4.65-1~deb11u1 |
| bookworm | Fixed | 2.4.65-1~deb12u1 |
Red Hat Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | โ |
| 8 | Fixed | โ |
References
- https://security-tracker.debian.org/tracker/CVE-2025-53020
- https://www.suse.com/security/cve/CVE-2025-53020.html
- https://access.redhat.com/errata/RHSA-2026:22140
- https://access.redhat.com/errata/RHSA-2026:22551
- https://bugzilla.redhat.com/2379343
- https://bugzilla.redhat.com/2464940
- https://bugzilla.redhat.com/2464952
- https://bugzilla.redhat.com/2464953
- https://bugzilla.redhat.com/2465299
- https://bugzilla.redhat.com/2466913
- https://errata.almalinux.org/8/ALSA-2026-22140.html
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.