Medium severity6.5NVD Advisory· Published Jun 8, 2026· Updated Jun 8, 2026

CVE-2026-43951

Description

Apache HTTP Server 2.4.x versions 2.4.0 through 2.4.67 are vulnerable to an out-of-bounds read in mod_headers and mod_mime.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache HTTP Server 2.4.x versions 2.4.0 through 2.4.67 are vulnerable to an out-of-bounds read in mod_headers and mod_mime.

Vulnerability

An out-of-bounds read vulnerability exists in Apache HTTP Server, specifically within the mod_headers and mod_mime modules, when handling multiple response languages. This issue affects versions from 2.4.0 through 2.4.67 [1].

Exploitation

Details regarding the specific conditions, attacker requirements, or exploitation steps for this vulnerability are not yet disclosed in the available references.

Impact

Details regarding the impact of this vulnerability are not yet disclosed in the available references.

Mitigation

Users are recommended to upgrade to Apache HTTP Server version 2.4.68, which includes a fix for this issue. Version 2.4.68 was released on 2026-06-08 [1].

References

Apache HTTP Server 2.4 vulnerabilities

AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Apache/HTTP Serverllm-fuzzy
Range: 2.4.0 - 2.4.67

Patches

35c6e405390e

cookie reqest header counting (#324)

https://github.com/icing/mod_h2Stefan EissingMay 27, 2026via body-scan

commit

1 file changed · +4 −0

mod_http2/h2_util.c+4 −0 modified

@@ -1708,6 +1708,8 @@ static apr_status_t req_add_header(apr_table_t *headers, apr_pool_t *pool,
              && !ap_cstr_casecmpn("cookie", (const char *)nv->name, nv->namelen)) {
         existing = apr_table_get(headers, "cookie");
         if (existing) {
+            if (!nv->valuelen)
+                return APR_SUCCESS;
             /* Cookie header come separately in HTTP/2, but need
              * to be merged by "; " (instead of default ", ")
              */
@@ -1719,6 +1721,8 @@ static apr_status_t req_add_header(apr_table_t *headers, apr_pool_t *pool,
             apr_table_setn(headers, "Cookie",
                            apr_psprintf(pool, "%s; %.*s", existing,
                                         (int)nv->valuelen, nv->value));
+            /* Treat the merge as an "add" to not escape LimitRequestFields */
+            *pwas_added = 1;
             return APR_SUCCESS;
         }
     }

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

httpd.apache.org/security/vulnerabilities_24.htmlnvd

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000