SB2026050479 - Multiple vulnerabilities in Apache HTTP Server

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026050479

SB2026050479 - Multiple vulnerabilities in Apache HTTP Server

Published: May 4, 2026

Security Bulletin ID SB2026050479
CSH Severity
High
Patch available
YES
Number of vulnerabilities 11
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 27% Medium 64% Low 9%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 11 secuirty vulnerabilities.


1) Out-of-bounds read (CVE-ID: CVE-2026-34059)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to a heap over-read in mod_proxy_ajp ajp_parse_data() when processing AJP messages from a backend server. A remote attacker can send a specially crafted AJP message to disclose sensitive information.

Exploitation requires Apache HTTP Server to connect to an untrusted or compromised AJP backend server.


2) Out-of-bounds read (CVE-ID: CVE-2026-34032)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper null termination leading to an out-of-bounds read in mod_proxy_ajp ajp_msg_get_string when parsing AJP string data. A remote attacker can send a specially crafted AJP message to disclose sensitive information.

Exploitation requires Apache HTTP Server to connect to an untrusted or compromised AJP backend server.


3) Out-of-bounds read (CVE-ID: CVE-2026-33857)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in mod_proxy_ajp AJP getter functions when parsing AJP data. A remote attacker can send a specially crafted AJP message to disclose sensitive information.

Exploitation requires Apache HTTP Server to connect to an untrusted or compromised AJP backend server.


4) HTTP response splitting (CVE-ID: CVE-2026-33523)

The vulnerability allows a remote attacker to manipulate HTTP responses.

The vulnerability exists due to improper neutralization of CRLF sequences in multiple Apache HTTP Server modules when forwarding a backend status line. A remote attacker can supply a malicious backend response to manipulate HTTP responses.

Exploitation requires an untrusted or compromised backend server.


5) NULL pointer dereference (CVE-ID: CVE-2026-33007)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a NULL pointer dereference in mod_authn_socache when handling requests in a caching forward proxy configuration. A remote attacker can send a malicious request to cause a denial of service.

The issue crashes a child process only in a caching forward proxy configuration.


6) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2026-33006)

The vulnerability allows a remote attacker to bypass Digest authentication.

The vulnerability exists due to a timing side-channel in mod_auth_digest when processing Digest authentication. A remote attacker can perform a timing attack to bypass Digest authentication.


7) NULL pointer dereference (CVE-ID: CVE-2026-29169)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a NULL pointer dereference in mod_dav_lock when handling requests. A remote attacker can send a malicious request to cause a denial of service.

mod_dav_lock is not used internally by mod_dav or mod_dav_fs, and the only known use-case mentioned is mod_dav_svn earlier than version 1.2.0.


8) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-29168)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in mod_md when processing OCSP response data. A remote attacker can provide crafted OCSP response data to cause a denial of service.


9) Heap-based buffer overflow (CVE-ID: CVE-2026-28780)

The vulnerability allows a remote attacker to cause a denial of service or potentially execute arbitrary code.

The vulnerability exists due to a heap-based buffer overflow in mod_proxy_ajp ajp_msg_check_header() when processing AJP messages from a backend server. A remote attacker can send a specially crafted AJP message to cause a denial of service or potentially execute arbitrary code.

The malicious AJP server can cause 4 attacker-controlled bytes to be written past the end of a heap-based buffer.


10) Improper access control (CVE-ID: CVE-2026-24072)

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to improper access control in various Apache HTTP Server modules when evaluating ap_expr from .htaccess files. A local user can create a crafted .htaccess expression to disclose sensitive information.

The issue affects local .htaccess authors and allows reading files with the privileges of the httpd user.


11) Double free (CVE-ID: CVE-2026-23918)

The vulnerability allows a remote attacker to cause a denial of service and possibly execute arbitrary code.

The vulnerability exists due to a double free in Apache HTTP Server HTTP/2 handling when processing an early reset. A remote attacker can trigger an early reset condition to cause a denial of service and possibly execute arbitrary code.

The issue is specific to the HTTP/2 protocol.


Remediation

Install update from vendor's website.

References