CVE-2026-49975 Apache HTTP Server Vulnerability in NetApp Products
Summary
The default HTTP/2 protocol configuration in certain web servers, such as Apache HTTP Server, allows a remote Denial of Service (DoS). This vulnerability is known as HTTP/2 Bomb. Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). Affected products: Management Services for Element Software and NetApp HCI. NetApp reports that one or more additional products remain under investigation; review the canonical advisory for current status. NetApp states there is no workaround available at this time.
What this means
In plain English
The default HTTP/2 protocol configuration in certain web servers, such as Apache HTTP Server, allows a remote Denial of Service (DoS). This vulnerability is known as HTTP/2 Bomb. Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). Affected products: Management Services for Element Software and NetApp HCI. NetApp reports that one or more additional products remain under investigation; review the canonical advisory for current status. NetApp states there is no workaround available at this time. Information disclosure can expose data available to the affected component beyond its intended authorization boundary.
Vulnerable items
- Management Services for Element Software and NetApp HCI — Management Services for Element Software and NetApp HCI is a NetApp management component used to administer connected systems or services.
Recommended action
The vendor explicitly states that no mitigation or workaround is available. Follow the official advisory for fixed-release guidance and prioritize the vendor's permanent remediation path.
Rewritten locally from the scraped official advisory data above; no generative API is used. The vendor advisory is authoritative.
Affected versions
No affected-version range was extracted from the source record. The vendor advisory is authoritative — check it before change work.
Official advisory · medium-confidence parse· fetched 2 hours ago·verify at source
Fixed versions
No fixed release is recorded yet. That does not prove no patch exists — confirm against the vendor advisory.
Official advisory · medium-confidence parse· fetched 2 hours ago·verify at source
Mitigation
The vendor states no workaround or mitigation is currently available. Prioritize upgrading to a fixed release, and follow the official advisory for interim guidance.
Official advisory · medium-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.