A vulnerability in the Apache HTTP Server could allow an unauthenticated, remote malicious user to cause a denial of service (DoS) condition on a targeted system. The vulnerability exists when HTTP/2 is enabled for an http: host or when H2Upgrade is enabled for h2 on an https: host, and is due to the improper handling of an Upgrade request from http/1.1 to http/2 when the Upgrade request is not the first request on the connection. An attacker could exploit this vulnerability by sending requests that submit malicious input to the affected software. A successful exploit could allow the malicious user to cause the affected software to terminate abnormally, resulting in a DoS condition. Apache has confirmed the vulnerability and released software updates.