CVE-2026-49975
Publication date 3 June 2026
Last updated 9 June 2026
Ubuntu priority
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| apache2 | 26.04 LTS resolute |
Fixed 2.4.66-2ubuntu2.2
|
| 25.10 questing |
Fixed 2.4.64-1ubuntu3.5
|
|
| 24.04 LTS noble |
Fixed 2.4.58-1ubuntu8.13
|
|
| 22.04 LTS jammy |
Fixed 2.4.52-1ubuntu4.21
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty |
Needs evaluation
|
|
| nginx | 26.04 LTS resolute |
Vulnerable
|
| 25.10 questing |
Vulnerable
|
|
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty |
Needs evaluation
|
Notes
mdeslaur
nginx fixed this by releasing 1.29.8 with a max_headers directive with a default of 1000. They did not mention this release on their security page, and did not assign an nginx specific CVE to this issue. The nginx fix for this issue breaks ABI and introduced a regression causing nginx to crash when being used with external modules. The CVE fix was reverted in 8398-2 pending further investigation.
References
Related Ubuntu Security Notices (USN)
- USN-8384-1
- Apache HTTP Server vulnerability
- 4 June 2026
- USN-8398-1
- nginx vulnerability
- 8 June 2026