SB2026050772 - Ubuntu update for apache2

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026050772

SB2026050772 - Ubuntu update for apache2

Published: May 7, 2026

Security Bulletin ID SB2026050772
CSH Severity
High
Patch available
YES
Number of vulnerabilities 11
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 27% Medium 64% Low 9%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 11 vulnerabilities.


1) Double free (CVE-ID: CVE-2026-23918)

The vulnerability allows a remote attacker to cause a denial of service and possibly execute arbitrary code.

The vulnerability exists due to a double free in Apache HTTP Server HTTP/2 handling when processing an early reset. A remote attacker can trigger an early reset condition to cause a denial of service and possibly execute arbitrary code.

The issue is specific to the HTTP/2 protocol.


2) Improper access control (CVE-ID: CVE-2026-24072)

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to improper access control in various Apache HTTP Server modules when evaluating ap_expr from .htaccess files. A local user can create a crafted .htaccess expression to disclose sensitive information.

The issue affects local .htaccess authors and allows reading files with the privileges of the httpd user.


3) Heap-based buffer overflow (CVE-ID: CVE-2026-28780)

The vulnerability allows a remote attacker to cause a denial of service or potentially execute arbitrary code.

The vulnerability exists due to a heap-based buffer overflow in mod_proxy_ajp ajp_msg_check_header() when processing AJP messages from a backend server. A remote attacker can send a specially crafted AJP message to cause a denial of service or potentially execute arbitrary code.

The malicious AJP server can cause 4 attacker-controlled bytes to be written past the end of a heap-based buffer.


4) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-29168)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in mod_md when processing OCSP response data. A remote attacker can provide crafted OCSP response data to cause a denial of service.


5) NULL pointer dereference (CVE-ID: CVE-2026-29169)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a NULL pointer dereference in mod_dav_lock when handling requests. A remote attacker can send a malicious request to cause a denial of service.

mod_dav_lock is not used internally by mod_dav or mod_dav_fs, and the only known use-case mentioned is mod_dav_svn earlier than version 1.2.0.


6) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2026-33006)

The vulnerability allows a remote attacker to bypass Digest authentication.

The vulnerability exists due to a timing side-channel in mod_auth_digest when processing Digest authentication. A remote attacker can perform a timing attack to bypass Digest authentication.


7) NULL pointer dereference (CVE-ID: CVE-2026-33007)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a NULL pointer dereference in mod_authn_socache when handling requests in a caching forward proxy configuration. A remote attacker can send a malicious request to cause a denial of service.

The issue crashes a child process only in a caching forward proxy configuration.


8) HTTP response splitting (CVE-ID: CVE-2026-33523)

The vulnerability allows a remote attacker to manipulate HTTP responses.

The vulnerability exists due to improper neutralization of CRLF sequences in multiple Apache HTTP Server modules when forwarding a backend status line. A remote attacker can supply a malicious backend response to manipulate HTTP responses.

Exploitation requires an untrusted or compromised backend server.


9) Out-of-bounds read (CVE-ID: CVE-2026-33857)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in mod_proxy_ajp AJP getter functions when parsing AJP data. A remote attacker can send a specially crafted AJP message to disclose sensitive information.

Exploitation requires Apache HTTP Server to connect to an untrusted or compromised AJP backend server.


10) Out-of-bounds read (CVE-ID: CVE-2026-34032)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper null termination leading to an out-of-bounds read in mod_proxy_ajp ajp_msg_get_string when parsing AJP string data. A remote attacker can send a specially crafted AJP message to disclose sensitive information.

Exploitation requires Apache HTTP Server to connect to an untrusted or compromised AJP backend server.


11) Out-of-bounds read (CVE-ID: CVE-2026-34059)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to a heap over-read in mod_proxy_ajp ajp_parse_data() when processing AJP messages from a backend server. A remote attacker can send a specially crafted AJP message to disclose sensitive information.

Exploitation requires Apache HTTP Server to connect to an untrusted or compromised AJP backend server.


Remediation

Install update from vendor's website.

References