CVE-2026-54399

NameCVE-2026-54399
DescriptionUncontrolled Resource Consumption vulnerability in the HTTP/1.1 message parser in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending messages with excessive number of headers / excessive header length
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
httpcomponents-core (PTS)bullseye4.4.14-1vulnerable
forky, sid, bookworm, trixie4.4.16-1vulnerable
httpcomponents-core5 (PTS)bookworm5.2.1-1vulnerable
trixie5.2.2-1vulnerable
forky, sid5.4.2-1.1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
httpcomponents-coresource(unstable)(unfixed)
httpcomponents-core5source(unstable)(unfixed)

Notes

https://lists.apache.org/thread/zmxh1pl2zohov5ntdh4lt85gfrlchgpy
v4 possibly not affected, needs further validation once fix is identified

Search for package or bug name: Reporting problems