{
  "threat_severity" : "Moderate",
  "public_date" : "2025-07-10T16:59:06Z",
  "bugzilla" : {
    "description" : "mod_http2: Apache HTTP Server: HTTP/2 DoS by Memory Increase",
    "id" : "2379343",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2379343"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-401",
  "details" : [ "Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server.\nThis issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63.\nUsers are recommended to upgrade to version 2.4.64, which fixes the issue.", "A flaw was found in Apache HTTP Server. This late release of memory after effective lifetime vulnerability allows a remote, unauthenticated attacker to cause a denial of service (DoS). The vulnerability can lead to resource exhaustion, making the server unavailable to legitimate users." ],
  "affected_release" : [ {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27200",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-httpd-0:2.4.62-13.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27200",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-mod_http2-0:2.0.29-10.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27200",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-httpd-0:2.4.62-13.el7jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27200",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_http2-0:2.0.29-10.el7jbcs"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-06-03T00:00:00Z",
    "advisory" : "RHSA-2026:22528",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.2",
    "package" : "mod_http2-0:2.0.29-4.el10_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-06-01T00:00:00Z",
    "advisory" : "RHSA-2026:22140",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "httpd:2.4-8100020260519200905.489197e6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-06-03T00:00:00Z",
    "advisory" : "RHSA-2026:22551",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "mod_http2-0:2.0.26-6.el9_8"
  }, {
    "product_name" : "Red Hat JBoss Core Services 2.4.62.SP4",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27201",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1",
    "package" : "jbcs-httpd24-httpd"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-53020\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-53020\nhttps://httpd.apache.org/security/vulnerabilities_24.html" ],
  "name" : "CVE-2025-53020",
  "mitigation" : {
    "value" : "The attack surface can be reduced by disabling HTTP/2 support in Apache.\nFollow the guidance in Red Hat KCS article to:\n- Remove h2 and h2c from the Protocols directive\n- Disable mod_http2 and mod_proxy_http2 modules (if not required)\nhttps://access.redhat.com/node/7056356",
    "lang" : "en:us"
  },
  "csaw" : false
}