CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 09, 2026

Apache HTTP Server 2.4.68 Released With Fix For Use-After-Free, DoS, XSS, and Buffer Overflow Flaws

Cybersecurity News Archived Jun 09, 2026 ✓ Full text saved

The Apache Software Foundation released Apache HTTP Server version 2.4.68 on June 8, 2026, addressing 13 security vulnerabilities spanning multiple modules. The patched flaws include use-after-free conditions, cross-site scripting, heap-based buffer overflows, denial-of-service, privilege escalation, and out-of-bounds read issues affecting all versions from 2.4.0 through 2.4.67. Administrators running any prior release are strongly urged to […] The post Apache HTTP Server 2.4.68 Released With Fi

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security Apache HTTP Server 2.4.68 Released With Fix For Use-After-Free, DoS, XSS, and Buffer Overflow Flaws By Guru Baran June 9, 2026 The Apache Software Foundation released Apache HTTP Server version 2.4.68 on June 8, 2026, addressing 13 security vulnerabilities spanning multiple modules. The patched flaws include use-after-free conditions, cross-site scripting, heap-based buffer overflows, denial-of-service, privilege escalation, and out-of-bounds read issues affecting all versions from 2.4.0 through 2.4.67. Administrators running any prior release are strongly urged to upgrade immediately. Apache HTTP Server 2.4.68 Use-After-Free (UAF) Flaws Two use-after-free vulnerabilities were patched in this release. CVE-2026-29167 affects mod_ldap in per-directory configurations, where a dangling pointer can be triggered across versions 2.4.0–2.4.67, discovered by Pavel Kohout of Aisle Research. The second, CVE-2026-48913, impacts the mod_http2 module when file handles are already exhausted — affecting the narrower range of 2.4.55–2.4.67 — and was reported by Sam Lovejoy of IBM X-Force Offensive Research (XOR). Cross-Site Scripting (XSS) CVE-2026-29170 describes an XSS flaw in mod_proxy_ftp‘s HTML directory listing generation. When Apache proxies FTP directory contents — either via forward or reverse proxy — unsanitized output can allow script injection. This low-severity issue affects all versions through 2.4.67 and was also discovered by Pavel Kohout of Aisle Research. Buffer Overflow and Memory Corruption Four buffer overflow vulnerabilities were remediated: CVE-2026-34355 (moderate) — A buffer overflow in mod_proxy_html exploitable by an untrusted backend server, found by Elhanan Haenel and Junhui Lee CVE-2026-34356 (low) — A heap-based overflow in ProxyPassReverseCookieMap triggered via malicious backend servers, discovered by Arkadi Vainbrand and depthfirst CVE-2026-42536 (low) — A heap overflow in mod_xml2enc via xml2StartParse with untrusted content, reported by Zhenpeng (Leo) Lin of depthfirst CVE-2026-44631 (low) — A heap underwrite in ap_regname caused by signed char overflow in crafted regex configurations, found by Lin and Bartlomiej Dmitruk Denial of Service Two DoS vulnerabilities were fixed. CVE-2026-49975 (moderate) allows memory allocation exhaustion in mod_http2 via malicious HTTP/2 requests, affecting versions 2.4.17–2.4.67, discovered by Quang Luong of Calif.IO in collaboration with OpenAI Codex. CVE-2026-44186 (moderate) triggers an infinite loop in mod_proxy_ftp‘s handler via an attacker-controlled backend FTP server. Other Notable Fixes CVE-2026-43951 (moderate) — An out-of-bounds read in merge_response_headers when mod_headers and mod_mime handle multiple response languages, causing child process crashes CVE-2026-42535 (moderate) — A path handling flaw in mod_dav_fs allowing WebDAV authors to manipulate trusted DAV property databases CVE-2026-44185 (low) — A stack buffer over-read in mod_ssl‘s OCSP send_request via attacker-controlled OCSP servers CVE-2026-44119 (moderate) — A privilege escalation flaw allowing local .htaccess authors to read files with httpd user privileges, reported by 10 independent researchers CVE Module Severity Type CVE-2026-29167 mod_ldap Low Use-After-Free CVE-2026-29170 mod_proxy_ftp Low XSS CVE-2026-34355 mod_proxy_html Moderate Buffer Overflow CVE-2026-34356 ProxyPassReverseCookieMap Low Heap Overflow CVE-2026-42535 mod_dav_fs Moderate Path Handling CVE-2026-42536 mod_xml2enc Low Heap Overflow CVE-2026-43951 mod_headers/mod_mime Moderate OOB Read CVE-2026-44119 .htaccess expressions Moderate Privilege Escalation CVE-2026-44185 mod_ssl OCSP Low Buffer Over-Read CVE-2026-44186 mod_proxy_ftp Moderate DoS (Infinite Loop) CVE-2026-44631 ap_regname Low Heap Underwrite CVE-2026-48913 mod_http2 Low Use-After-Free CVE-2026-49975 mod_http2 Moderate DoS The Apache Software Foundation recommends all users upgrade to Apache HTTP Server 2.4.68 immediately. No workarounds are available for most of these vulnerabilities. The updated release is available via the official Apache download page. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Agentic AI Red Teaming Reveals Zero-Click Human-in-the-Loop Bypass Attack Chains UNC3753 Attacking US Law Firms Using Vishing and RMM Tools to Exfiltrate Data Malicious Browser Add-Ons Target ChatGPT, Claude, Copilot, Gemini, and DeepSeek Users Comodo Internet Security 0-Day Vulnerability Lets Attacker Crash the User’s Windows System Free Apps on Samsung and LG Smart TVs Secretly Turning Your Devices Into AI Proxies Latest News Cyber Security New Shai-Hulud Attack Compromises 23 PyPI Packages to Target MCP Developers Cyber Security News New China-Linked Threat Cluster OP-512 Targets IIS Servers With Cryptographically Unique Web Shell Framework Cyber Security Check Point VPN 0-day Vulnerability Exploited in the Wild to Deploy Ransomware Cyber Security New Linux Kernel Vulnerability Lets Attackers Escalate Privileges to Root Cyber Security News New Pink Hacking Group Attacking Enterprise Users to Steal Cloud Storage Passwords
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 09, 2026
    Archived
    Jun 09, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗