CVE-2021-31618

Name: CVE-2021-31618
Creator: NVD / NIST
Published: 2021-06-15T09:15:07.96+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 51.21%

Last modified Jun 17, 2026

CVE-2021-31618 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected. EPSS estimates a 51.21% chance of exploitation in the next 30 days.

Description

Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the offending header was the very first one received or appeared in a a footer. This led to a NULL pointer dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS the server. This issue affected mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never released.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

51.21%

98.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Apache	Http Server	1.15.17
Apache	Http Server	2.4.47
Fedoraproject	Fedora	33
Fedoraproject	Fedora	34
Debian	Debian Linux	9.0
Debian	Debian Linux	10.0
Oracle	Enterprise Manager Ops Center	12.4.0.0
Oracle	Instantis Enterprisetrack	17.1
Oracle	Instantis Enterprisetrack	17.2
Oracle	Instantis Enterprisetrack	17.3
Oracle	Zfs Storage Appliance Kit	8.8

References

http://httpd.apache.org/security/vulnerabilities_24.htmlRelease Notes, Vendor Advisory
http://www.openwall.com/lists/oss-security/2021/06/10/9Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/03/13/2
https://lists.apache.org/thread.html/r14b66ef0f4f569fd515a3f96cd4eb58bd9a8ff525cc326bb0359664f%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r783b6558abf3305b17ea462bed4bd66d82866438999bf38cef6d11d1%40%3Ccvs.httpd.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/07/msg00006.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2NKJ3ZA3FTSZ2QBBPKS6BYGAWYRABNQQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A73QJ4HPUMU26I6EULG6SCK67TUEXZYR/
https://seclists.org/oss-sec/2021/q2/206Mailing List, Third Party Advisory
https://security.gentoo.org/glsa/202107-38Third Party Advisory
https://security.netapp.com/advisory/ntap-20210727-0008/Third Party Advisory
https://www.debian.org/security/2021/dsa-4937Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
http://httpd.apache.org/security/vulnerabilities_24.htmlRelease Notes, Vendor Advisory
http://www.openwall.com/lists/oss-security/2021/06/10/9Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/03/13/2
https://lists.apache.org/thread.html/r14b66ef0f4f569fd515a3f96cd4eb58bd9a8ff525cc326bb0359664f%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r783b6558abf3305b17ea462bed4bd66d82866438999bf38cef6d11d1%40%3Ccvs.httpd.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/07/msg00006.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2NKJ3ZA3FTSZ2QBBPKS6BYGAWYRABNQQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A73QJ4HPUMU26I6EULG6SCK67TUEXZYR/
https://seclists.org/oss-sec/2021/q2/206Mailing List, Third Party Advisory
https://security.gentoo.org/glsa/202107-38Third Party Advisory
https://security.netapp.com/advisory/ntap-20210727-0008/Third Party Advisory
https://www.debian.org/security/2021/dsa-4937Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory

Timeline

Published: Jun 15, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-31618?

How severe is CVE-2021-31618?

CVE-2021-31618 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 51.21% probability of exploitation in the next 30 days.

How do I fix CVE-2021-31618?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-31618?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST