AlmaLinux has released an important security patch for version 10 that addresses a critical flaw in the mod_http2 Apache module. The update specifically targets CVE-2026-49975, which allows attackers to trigger remote denial of service attacks using compression bombs and Slowloris techniques. System administrators should apply this errata immediately to protect their web servers from potential service disruptions. Full technical details along with the updated packages are available through the official AlmaLinux errata portal.

ALSA-2026:25225: mod_http2 security update (Important)

ALSA-2026:25225: mod_http2 security update (Important)

Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 10
Type: Security
Severity: Important
Release date: 2026-06-11

Summary:

The mod_h2 Apache httpd module implements the HTTP2 protocol (h2+h2c) on top of libnghttp2 for httpd 2.4 servers.

Security Fix(es):

* httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack (CVE-2026-49975)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/10/ALSA-2026-25225.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team