ALPINE-CVE-2021-31618
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the offending header was the very first one received or appeared in a a footer. This led to a NULL pointer dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS the server. This issue affected mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never released.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Alpine:v3.19 | apache2 | 2.4.23-r7, 2.4.23-r6, 2.4.23-r5 |
| Alpine:v3.21 | apache2 | 2.4.33-r0, 2.4.9-r1, 2.4.9-r0 |
| Alpine:v3.23 | apache2 | 0, 2.4.9-r0, 2.4.7-r0 |
| Alpine:v3.16 | apache2 | 2.4.41-r0, 2.2.16-r0, 2.2.16-r1 |
| Alpine:v3.10 | apache2 | 0, 2.4.9-r1, 2.4.9-r0 |
| Alpine:v3.22 | apache2 | 2.2.16-r1, 2.4.17-r7, 0 |
| Alpine:v3.14 | apache2 | 2.4.17-r2, 2.2.16-r2, 2.4.12-r2 |
| Alpine:v3.18 | apache2 | 2.4.23-r8, 2.4.23-r5, 2.4.23-r4 |
| Alpine:v3.11 | apache2 | 2.4.9-r1, 0, 2.2.16-r0 |
| Alpine:v3.17 | apache2 | 2.2.16-r1, 0, 2.2.16-r0 |
| Alpine:v3.15 | apache2 | 2.4.9-r1, 2.2.16-r0, 2.2.16-r1 |
| Alpine:v3.20 | apache2 | 2.4.23-r7, 2.2.16-r1, 2.2.16-r3 |
| Alpine:v3.12 | apache2 | 2.4.17-r1, 2.2.16-r3, 2.4.23-r9 |
| Alpine:v3.13 | apache2 | 2.4.17-r6, 2.4.17-r5, 2.4.17-r4 |
Timeline
- Jun 15, 2021 CVE Published
- Dec 3, 2025 CVE Updated
- Apr 30, 2026 Distribution Patch