VYPR
Vypr IntelligenceAI-generatedJun 8, 2026· 11 CVEs

Apache HTTP Server: 11 Vulnerabilities Disclosed, Including DoS and Memory Corruption Flaws

Apache HTTP Server versions 2.4.0 through 2.4.67 are affected by 11 vulnerabilities disclosed on June 8, 2026, including denial-of-service and memory corruption issues.

Key findings

  • 11 vulnerabilities in Apache HTTP Server versions 2.4.0-2.4.67 disclosed on June 8, 2026.
  • CVE-2026-49975 is part of the 'HTTP/2 Bomb' DoS attack, affecting multiple web servers.
  • Vulnerabilities include DoS, memory corruption (buffer overflows/under-reads), and XSS.
  • Affected modules include mod_http, mod_http2, mod_proxy_ftp, mod_xml2enc, mod_proxy_html, mod_ldap, and .htaccess handling.
  • All disclosed issues are fixed in Apache HTTP Server version 2.4.68.
  • Users are strongly advised to upgrade to version 2.4.68 to patch these vulnerabilities.

Apache HTTP Server Hit by 11 Vulnerabilities in Single Disclosure

On June 8, 2026, a significant batch of eleven vulnerabilities affecting the Apache HTTP Server, specifically versions ranging from 2.4.0 to 2.4.67, were disclosed. This coordinated disclosure event impacts numerous modules and functionalities within the widely-used web server, highlighting potential risks for administrators and users. The vulnerabilities span a range of severity, including denial-of-service (DoS) conditions, memory allocation errors, and buffer overflows, underscoring the need for prompt patching.

Denial of Service and Memory Exhaustion

A notable cluster of vulnerabilities focuses on denial-of-service and memory exhaustion. CVE-2026-49975, a Memory Allocation with Excessive Size Value vulnerability in mod_http, can lead to a DoS via malicious HTTP requests. This specific vulnerability is part of the broader "HTTP/2 Bomb" attack, which chains HPACK compression amplification with Slowloris-style resource retention to exhaust server memory. Related news coverage indicates this attack can be launched from a single machine and affects multiple major web servers, including Apache HTTP Server, NGINX, and Microsoft IIS N1, N2, N3, N4.

Another DoS vulnerability, CVE-2026-44186, resides in the mod_proxy_ftp module. It involves a loop with an unreachable exit condition when interacting with an attacker-controlled backend FTP server. Additionally, CVE-2026-48913, a Use After Free vulnerability in mod_http2, arises when file handles are exhausted, potentially leading to DoS.

Memory Corruption and Information Disclosure

Several vulnerabilities involve memory corruption, including buffer overflows and underflows. CVE-2026-44631, a Buffer Underwrite vulnerability, occurs due to crafted regular expressions in the server's configuration. Heap-based buffer overflows are present in CVE-2026-42536, affecting mod_xml2enc when processing untrusted content, and CVE-2026-34356, which can be triggered by malicious backend servers and ProxyPassReverseCookie* directives. CVE-2026-34355, a buffer overflow in mod_proxy_html, can be exploited by an untrusted backend server.

Further memory-related issues include CVE-2026-44185, a Buffer Over-read vulnerability triggered by outbound OCSP requests to an attacker-controlled OCSP server. A distinct vulnerability, CVE-2026-44119, is an Improper Privilege Management flaw that allows local .htaccess authors to read files with the privileges of the httpd user, potentially leading to information disclosure.

Cross-Site Scripting and Module-Specific Flaws

Cross-site scripting (XSS) is also addressed in CVE-2026-29170, a vulnerability in mod_proxy_ftp's HTML directory list generation. This can be exploited when listing FTP directory contents via forward or reverse proxy configurations. Finally, CVE-2026-29167, another Use After Free vulnerability, impacts mod_ldap when used in per-directory configurations.

Patching and Mitigation

All eleven vulnerabilities disclosed on June 8, 2026, are addressed in Apache HTTP Server version 2.4.68. Users are strongly recommended to upgrade to this latest version to mitigate the risks associated with these flaws. For versions prior to 2.4.68, specific mitigations would depend on the affected module and configuration, but upgrading remains the most effective solution.

This coordinated disclosure highlights the ongoing security challenges faced by widely deployed web server software. Administrators should prioritize updating their Apache HTTP Server instances to version 2.4.68 to protect against these diverse threats, ranging from simple denial-of-service attacks to more complex memory corruption exploits.

AI-written article. Grounded in 11 CVE records listed below.