VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-ngsg-cz1q-z7f8

Essentials
Severities (21)
References (12)
Severity details (3)
Exploits (1)
EPSS
History (1)

Vulnerability ID	VCID-ngsg-cz1q-z7f8
Aliases	CVE-2016-8740
Summary	The HTTP/2 protocol implementation (mod_http2) had an incomplete handling of the LimitRequestFields directive. This allowed an attacker to inject unlimited request headers into the server, leading to eventual memory exhaustion.
Status	Published
Exploitability	2.0
Weighted Severity	5.3
Risk	10.0
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-20	Improper Input Validation
CWE-770	Allocation of Resources Without Limits or Throttling

System	Score	Found at
cvssv3	5.9	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-8740.json
epss	0.56733	https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss	0.56733	https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss	0.62582	https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss	0.62582	https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss	0.62582	https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss	0.62627	https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss	0.62627	https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss	0.62627	https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss	0.62627	https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss	0.62627	https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss	0.62627	https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss	0.62627	https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss	0.62627	https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss	0.62627	https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss	0.62627	https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss	0.62627	https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss	0.62627	https://api.first.org/data/v1/epss?cve=CVE-2016-8740
epss	0.62627	https://api.first.org/data/v1/epss?cve=CVE-2016-8740
cvssv2	4.3	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
apache_httpd	low	https://httpd.apache.org/security/json/CVE-2016-8740.json

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-8740.json
		https://api.first.org/data/v1/epss?cve=CVE-2016-8740
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8740
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
1401528		https://bugzilla.redhat.com/show_bug.cgi?id=1401528
847124		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847124
CVE-2016-8740	Exploit	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/dos/40909.py
CVE-2016-8740		https://httpd.apache.org/security/json/CVE-2016-8740.json
RHSA-2017:1161		https://access.redhat.com/errata/RHSA-2017:1161
RHSA-2017:1413		https://access.redhat.com/errata/RHSA-2017:1413
RHSA-2017:1414		https://access.redhat.com/errata/RHSA-2017:1414
RHSA-2017:1415		https://access.redhat.com/errata/RHSA-2017:1415

Data source	Exploit-DB
Date added	Dec. 12, 2016
Description	Apache 2.4.23 mod_http2 - Denial of Service
Ransomware campaign use	Unknown
Source publication date	Dec. 12, 2016
Exploit type	dos
Platform	linux
Source update date	Dec. 14, 2016

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-8740.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Exploit Prediction Scoring System (EPSS)

Percentile	0.98032
EPSS Score	0.56733
Published At	Aug. 3, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T08:29:02.025991+00:00	Apache HTTPD Importer	Import	https://httpd.apache.org/security/json/CVE-2016-8740.json	37.0.0