ALPINE-CVE-2018-1302

ALPINE-CVE-2018-1302 PUBLISHED CVSS 5.900000095367432 MEDIUM

When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk.

Risk Scores

CVSS v3.0

5.900000095367432

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

Vendor	Product	Versions
Alpine:v3.7	apache2	0, 2.4.9-r1, 2.4.9-r0
Alpine:v3.4	apache2	2.2.21-r2, 0, 2.2.16-r0
Alpine:v3.14	apache2	2.4.6-r0, 2.4.9-r1, 2.4.9-r0
Alpine:v3.19	apache2	2.4.25-r0, 2.4.9-r1, 2.4.9-r0
Alpine:v3.16	apache2	2.4.12-r0, 2.4.9-r1, 2.4.9-r0
Alpine:v3.10	apache2	2.4.9-r1, 2.4.9-r0, 2.4.7-r0
Alpine:v3.8	apache2	2.4.17-r0, 0, 2.2.16-r0
Alpine:v3.23	apache2	2.4.9-r1, 2.4.9-r0, 2.4.7-r0
Alpine:v3.6	apache2	2.4.17-r4, 2.4.9-r1, 2.4.9-r0
Alpine:v3.22	apache2	2.4.12-r0, 0, 2.2.16-r0
Alpine:v3.9	apache2	2.4.28-r0, 2.4.27-r2, 2.4.27-r1
Alpine:v3.21	apache2	2.2.21-r2, 0, 2.2.16-r0
Alpine:v3.17	apache2	2.4.9-r1, 2.2.16-r0, 2.2.16-r1
Alpine:v3.20	apache2	2.4.10-r0, 0, 2.4.9-r1
Alpine:v3.18	apache2	2.2.20-r0, 2.4.9-r1, 2.4.9-r0
Alpine:v3.13	apache2	0, 2.2.22-r0, 2.2.22-r1
Alpine:v3.5	apache2	2.4.9-r1, 2.4.9-r0, 2.4.7-r0
Alpine:v3.15	apache2	2.4.17-r1, 2.2.22-r0, 2.2.22-r1
Alpine:v3.12	apache2	2.4.6-r2, 2.2.21-r2, 2.2.21-r1
Alpine:v3.11	apache2	2.4.9-r1, 2.2.16-r0, 2.2.16-r1

Timeline

Mar 26, 2018 CVE Published
Dec 3, 2025 CVE Updated
Apr 30, 2026 Distribution Patch

References

https://security.alpinelinux.org/vuln/CVE-2018-1302 advisory

Open in Interactive Console →