SB2026051240 - Multiple vulnerabilities in IBM HTTP Server

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026051240

SB2026051240 - Multiple vulnerabilities in IBM HTTP Server

Published: May 12, 2026

Security Bulletin ID SB2026051240
CSH Severity
High
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 14% Medium 57% Low 29%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 vulnerabilities.


1) Improper access control (CVE-ID: CVE-2026-24072)

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to improper access control in various Apache HTTP Server modules when evaluating ap_expr from .htaccess files. A local user can create a crafted .htaccess expression to disclose sensitive information.

The issue affects local .htaccess authors and allows reading files with the privileges of the httpd user.


2) Heap-based buffer overflow (CVE-ID: CVE-2026-28780)

The vulnerability allows a remote attacker to cause a denial of service or potentially execute arbitrary code.

The vulnerability exists due to a heap-based buffer overflow in mod_proxy_ajp ajp_msg_check_header() when processing AJP messages from a backend server. A remote attacker can send a specially crafted AJP message to cause a denial of service or potentially execute arbitrary code.

The malicious AJP server can cause 4 attacker-controlled bytes to be written past the end of a heap-based buffer.


3) Out-of-bounds read (CVE-ID: CVE-2026-34059)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to a heap over-read in mod_proxy_ajp ajp_parse_data() when processing AJP messages from a backend server. A remote attacker can send a specially crafted AJP message to disclose sensitive information.

Exploitation requires Apache HTTP Server to connect to an untrusted or compromised AJP backend server.


4) HTTP response splitting (CVE-ID: CVE-2026-33523)

The vulnerability allows a remote attacker to manipulate HTTP responses.

The vulnerability exists due to improper neutralization of CRLF sequences in multiple Apache HTTP Server modules when forwarding a backend status line. A remote attacker can supply a malicious backend response to manipulate HTTP responses.

Exploitation requires an untrusted or compromised backend server.


5) Insufficient entropy (CVE-ID: CVE-2026-41080)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to insufficient entropy. A remote attacker can supply a specially crafted XML document and flood hashes, leading to a denial of service condition. 


6) Out-of-bounds read (CVE-ID: CVE-2026-33857)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in mod_proxy_ajp AJP getter functions when parsing AJP data. A remote attacker can send a specially crafted AJP message to disclose sensitive information.

Exploitation requires Apache HTTP Server to connect to an untrusted or compromised AJP backend server.


7) Out-of-bounds read (CVE-ID: CVE-2026-34032)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper null termination leading to an out-of-bounds read in mod_proxy_ajp ajp_msg_get_string when parsing AJP string data. A remote attacker can send a specially crafted AJP message to disclose sensitive information.

Exploitation requires Apache HTTP Server to connect to an untrusted or compromised AJP backend server.


Remediation

Install update from vendor's website.

References