CVE-2016-8740

HIGH

Apache HTTP Server 2.4.17-2.4.23 - DoS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2016-8740. PoCs published by Jungun Baek, jptr218, lcfpadilha.

AI-analyzed exploit summary This exploit targets CVE-2016-8740, a memory consumption DoS vulnerability in Apache HTTP Server's mod_http2 module. It sends crafted CONTINUATION frames to exhaust server memory.

Description

The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in an HTTP/2 request.

Exploits (3)

exploitdb WORKING POC
by Jungun Baek · pythondoslinux
https://www.exploit-db.com/exploits/40909

This exploit targets CVE-2016-8740, a memory consumption DoS vulnerability in Apache HTTP Server's mod_http2 module. It sends crafted CONTINUATION frames to exhaust server memory.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Apache HTTP Server 2.4.17 through 2.4.23 with mod_http2 enabled
No auth needed
Prerequisites: Network access to the target server · HTTP/2 protocol enabled on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by jptr218 · poc
https://github.com/jptr218/apachedos

This repository contains a functional proof-of-concept exploit for CVE-2016-8740, which targets Apache HTTPD 2.4.17-2.4.23 by sending maliciously crafted HTTP/2 requests to trigger excessive memory allocation, leading to a denial-of-service (DoS) condition.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Apache HTTPD 2.4.17-2.4.23
No auth needed
Prerequisites: Target server must support HTTP/2 · Network connectivity to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by lcfpadilha · poc
https://github.com/lcfpadilha/mac0352-ep4

This repository contains a functional Python exploit for CVE-2016-8740, a denial-of-service vulnerability in Apache HTTP Server 2.4.17-2.4.23. The exploit sends crafted HTTP/2 CONTINUATION frames to consume memory on the target server.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Apache HTTP Server 2.4.17-2.4.23
No auth needed
Prerequisites: HTTP/2 support enabled on the target server
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (28)

Core 28
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1037388
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1413
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1161
Third Party Advisory x_refsource_confirm
https://www.tenable.com/security/tns-2017-04
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1414
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-1415.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/94650
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201701-36
Vendor Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20180423-0001/
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT208221
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/40909/

Scores

CVSS v3 7.5
EPSS 0.7907
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-20 CWE-399
Status published
Products (8)
apache/http_server 2.4.17
apache/http_server 2.4.18
apache/http_server 2.4.19
apache/http_server 2.4.20
apache/http_server 2.4.21
apache/http_server 2.4.22
apache/http_server 2.4.23
Apache Software Foundation/Apache HTTP Server 2.4.17 - 2.4.23
Published Dec 05, 2016
Tracked Since Feb 18, 2026