A crafted HTTP2 request can trigger reference to request data from a memory pool after its destruction. This memory is subsequently used as input to an sprintf type function for constructing a string value. This unsafe memory access ultimately means that the
r->the_request string is poisoned with unintended data.
To reproduce the problem, I have attached a script that will download/compile Apache httpd and reproduce the behavior with ASAN enabled. The archive also contains a nice ASAN output from the event.
This is an unsafe memory access. It could lead to process crashes, assist in other exploits, or reveal confidential data through unexplored interactions with other httpd modules.