Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-54u4-szhc-zycj
Vulnerability ID VCID-54u4-szhc-zycj
Aliases CVE-2020-11993
Summary In Apache HTTP Server versions 2.4.20 to 2.4.43, when trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.
Status Published
Exploitability 0.5
Weighted Severity 6.8
Risk 3.4
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-400 Uncontrolled Resource Consumption
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-11993.json
epss 0.2745 https://api.first.org/data/v1/epss?cve=CVE-2020-11993
epss 0.2745 https://api.first.org/data/v1/epss?cve=CVE-2020-11993
epss 0.2745 https://api.first.org/data/v1/epss?cve=CVE-2020-11993
cvssv3.1 5.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
apache_httpd moderate https://httpd.apache.org/security/json/CVE-2020-11993.json
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-11993.json
https://api.first.org/data/v1/epss?cve=CVE-2020-11993
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11984
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11993
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1934
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9490
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
1866564 https://bugzilla.redhat.com/show_bug.cgi?id=1866564
CVE-2020-11993 https://httpd.apache.org/security/json/CVE-2020-11993.json
GLSA-202008-04 https://security.gentoo.org/glsa/202008-04
RHSA-2020:4383 https://access.redhat.com/errata/RHSA-2020:4383
RHSA-2020:4384 https://access.redhat.com/errata/RHSA-2020:4384
RHSA-2021:1809 https://access.redhat.com/errata/RHSA-2021:1809
USN-4458-1 https://usn.ubuntu.com/4458-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-11993.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.96512
EPSS Score 0.2745
Published At June 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:53:49.893752+00:00 Apache HTTPD Importer Import https://httpd.apache.org/security/json/CVE-2020-11993.json 38.6.0