Unrated severityNVD Advisory· Published Jun 8, 2026

CVE-2026-42535

Description

Apache HTTP Server 2.4.67 and earlier has a path handling flaw in mod_dav_fs that can crash child processes.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache HTTP Server 2.4.67 and earlier has a path handling flaw in mod_dav_fs that can crash child processes.

Vulnerability

A path handling issue in the mod_dav_fs module of Apache HTTP Server allows a WebDAV content author to directly manipulate trusted DAV property databases. This vulnerability affects Apache HTTP Server versions 2.4.0 through 2.4.67 [1].

Exploitation

An attacker with WebDAV content author privileges can exploit this vulnerability by manipulating trusted DAV property databases. The exact sequence of steps required to trigger the vulnerability is not detailed in the available references, but it involves direct manipulation of these databases [1].

Impact

Successful exploitation of this vulnerability can lead to crashes in child processes of the Apache HTTP Server. This could result in a denial of service for web services handled by the affected child processes [1].

Mitigation

Apache HTTP Server version 2.4.68, released on 2026-06-08, addresses this issue [1]. Users are recommended to upgrade to this version or later. No workarounds are mentioned in the available references.

References

Apache HTTP Server 2.4 vulnerabilities

AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Apache/mod_dav_fsllm-create
Range: <=2.4.67
Apache/Apachellm-fuzzy
Range: <=2.4.67

Patches

35c6e405390e

cookie reqest header counting (#324)

https://github.com/icing/mod_h2Stefan EissingMay 27, 2026via body-scan

commit

1 file changed · +4 −0

mod_http2/h2_util.c+4 −0 modified

@@ -1708,6 +1708,8 @@ static apr_status_t req_add_header(apr_table_t *headers, apr_pool_t *pool,
              && !ap_cstr_casecmpn("cookie", (const char *)nv->name, nv->namelen)) {
         existing = apr_table_get(headers, "cookie");
         if (existing) {
+            if (!nv->valuelen)
+                return APR_SUCCESS;
             /* Cookie header come separately in HTTP/2, but need
              * to be merged by "; " (instead of default ", ")
              */
@@ -1719,6 +1721,8 @@ static apr_status_t req_add_header(apr_table_t *headers, apr_pool_t *pool,
             apr_table_setn(headers, "Cookie",
                            apr_psprintf(pool, "%s; %.*s", existing,
                                         (int)nv->valuelen, nv->value));
+            /* Treat the merge as an "add" to not escape LimitRequestFields */
+            *pwas_added = 1;
             return APR_SUCCESS;
         }
     }

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

httpd.apache.org/security/vulnerabilities_24.htmlnvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000