How severe is CVE-2018-1302?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.9 out of 10.

What type of vulnerability is CVE-2018-1302?

This is classified as CWE-476, which is a common weakness in software security.

CVE-2018-1302 - MEDIUM Severity | CVSS 5.9

Vulnerability Description

When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk.

Related Vulnerabilities

CVE-2015-5316

MEDIUM

CVSS:5.9(Medium)

The eap_pwd_perform_confirm_exchange function in eap_peer/eap_pwd.c in wpa_supplicant 2.x before 2.6, when EAP-pwd is enabled in a network configuration profile, allows remote attackers to cause a den...

CWE-4762015

CVE-2015-7977

MEDIUM

CVSS:5.9(Medium)

ntpd in NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (NULL pointer dereference) via a ntpdc reslist command.

CWE-4762015

CVE-2015-8762

MEDIUM

CVSS:5.9(Medium)

The EAP-PWD module in FreeRADIUS 3.0 through 3.0.8 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a zero-length EAP-PWD packet.

CWE-4762015

CVE-2016-2365

MEDIUM

CVSS:5.9(Medium)

A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a null pointer dereference. A malic...

CWE-4762016

CVE-2016-2369

MEDIUM

CVSS:5.9(Medium)

A NULL pointer dereference vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a denial of service vulnerab...

CWE-4762016

CVE-2016-5354

MEDIUM

CVSS:5.9(Medium)

The USB subsystem in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4 mishandles class types, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.

CWE-4762016