High severity7.5NVD Advisory· Published Nov 22, 2010· Updated Apr 29, 2026
CVE-2010-3872
CVE-2010-3872
Description
A flaw was found in the mod_fcgid module of httpd. A malformed FastCGI response may result in a stack-based buffer overflow in the modules/fcgid/fcgid_bucket.c file in the fcgid_header_bucket_read() function, resulting in an application crash.
Affected products
5cpe:2.3:a:apache:mod_fcgid:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:apache:mod_fcgid:*:*:*:*:*:*:*:*range: <=2.3.5
- cpe:2.3:a:apache:mod_fcgid:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:mod_fcgid:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:mod_fcgid:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:mod_fcgid:2.3.4:*:*:*:*:*:*:*
Patches
1b1afa70840b4SECURITY: CVE-2010-3872 (cve.mitre.org)
2 files changed · +5 −1
CHANGES-FCGID+4 −0 modified@@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with mod_fcgid 2.3.6 + *) SECURITY: CVE-2010-3872 (cve.mitre.org) + Fix possible stack buffer overwrite. Diagnosed by the reporter. + PR 49406. [Edgar Frank <ef-lists email.de>] + *) Change the default for FcgidMaxRequestLen from 1GB to 128K. Administrators should change this to an appropriate value based on site requirements. [Jeff Trawick]
modules/fcgid/fcgid_bucket.c+1 −1 modified@@ -96,7 +96,7 @@ static apr_status_t fcgid_header_bucket_read(apr_bucket * b, /* Initialize header */ putsize = fcgid_min(bufferlen, sizeof(header) - hasread); - memcpy(&header + hasread, buffer, putsize); + memcpy((apr_byte_t *)&header + hasread, buffer, putsize); hasread += putsize; /* Ignore the bytes that have read */
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
20- issues.apache.org/bugzilla/show_bug.cginvdPatch
- secunia.com/advisories/42288nvdVendor Advisory
- secunia.com/advisories/42302nvdVendor Advisory
- www.vupen.com/english/advisories/2010/2997nvdVendor Advisory
- www.vupen.com/english/advisories/2010/2998nvdVendor Advisory
- lists.fedoraproject.org/pipermail/package-announce/2010-November/050930.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2010-November/050932.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2010-November/050976.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2011-08/msg00004.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2011-08/msg00005.htmlnvd
- osvdb.org/69275nvd
- secunia.com/advisories/42815nvd
- www.debian.org/security/2010/dsa-2140nvd
- www.gossamer-threads.com/lists/apache/announce/391406nvd
- www.securityfocus.com/bid/44900nvd
- www.vupen.com/english/advisories/2011/0031nvd
- access.redhat.com/security/cve/CVE-2010-3872nvd
- bugzilla.redhat.com/show_bug.cginvd
- exchange.xforce.ibmcloud.com/vulnerabilities/63303nvd
- github.com/apache/httpd-mod_fcgid/commit/b1afa70840b4ab4e6fbc12ac8798b2f3ccc336b2nvd
News mentions
0No linked articles in our index yet.