Secure Cyber Vulnerability Management

07/05/2026
Qualys-Threat-Protect

Apache Addresses Multiple Vulnerabilities Impacting the HTTP Server

by Deepanshu Jha

Apache has released security updates for the HTTP Server, addressing several security vulnerabilities. One of the vulnerabilities, tracked as CVE-2026-23918, can result in remote code execution.

The Apache HTTP Server, colloquially known as Apache, is a free, open-source web server software that serves web content over the Internet. It runs on modern operating systems, including Linux, Unix, Microsoft Windows, and macOS.

CVE-2026-23918

Apache described the vulnerability as a double-free issue with possible remote code execution in the HTTP/2 protocol handler. Apache allocates memory to handle an incoming request. An attacker may send a specially crafted frame that will cause the server’s memory management logic to free the same memory region twice – a condition known as a double-free. That corrupts the heap and provides the attacker with a potential path to redirect how the server executes code.

CVE-2026-24072

A privilege escalation vulnerability in various modules of Apache HTTP Server allows local .htaccess authors to read files with the privileges of the httpd user.

CVE-2026-28780

A heap-based Buffer Overflow vulnerability exists in mod_proxy_ajp of the Apache HTTP Server. If mod_proxy_ajp is connected to a malicious AJP server, this AJP server can send a malicious AJP message back to mod_proxy_ajp, causing it to write 4 attacker-controlled bytes after the end of a heap-based buffer.

CVE-2026-29168

Oversized OCSP response packets can exhaust server resources, slow things down, or cause a crash.

CVE-2026-29169

A NULL pointer dereference vulnerability in mod_dav_lock in Apache HTTP Server may allow an attacker to crash the server with a malicious request.mod_dav_lock.

CVE-2026-33006

A timing attack against mod_auth_digest in the Apache HTTP Server may allow a remote attacker to bypass Digest authentication.

CVE-2026-33007

A NULL pointer dereference vulnerability in the mod_authn_socache in Apache HTTP Server may allow an unauthenticated remote user to crash a child process in a caching forward proxy configuration.

CVE-2026-33523

An HTTP response splitting vulnerability exists in multiple Apache HTTP Server modules when used with untrusted or compromised backend servers.

CVE-2026-33857

An out-of-bounds read vulnerability in mod_proxy_ajp of Apache HTTP Server.

CVE-2026-34032

An improper Null Termination and Out-of-bounds Read vulnerability exists in the Apache HTTP Server.

CVE-2026-34059

A buffer overflow vulnerability exists in the Apache HTTP Server.

Affected Versions

The vulnerabilities affect Apache HTTP Server version 2.4.66.

Mitigation

Users must upgrade to the latest version of Apache HTTP Server2.4.67, to remediate the vulnerabilities.

For more information on the vulnerabilities, please refer to the Apache Security Advisory.

Qualys Detection

Qualys customers can scan their devices with QIDs 734127, 734129, and 520146 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://httpd.apache.org/security/vulnerabilities_24.html

Comments are closed.

You may also like