Apache HTTP Server 2.4.68 Released With Fix For Use-After-Free, DoS, XSS, and Buffer Overflow Flaws
Cybersecurity NewsArchived Jun 09, 2026✓ Full text saved
The Apache Software Foundation released Apache HTTP Server version 2.4.68 on June 8, 2026, addressing 13 security vulnerabilities spanning multiple modules. The patched flaws include use-after-free conditions, cross-site scripting, heap-based buffer overflows, denial-of-service, privilege escalation, and out-of-bounds read issues affecting all versions from 2.4.0 through 2.4.67. Administrators running any prior release are strongly urged to […] The post Apache HTTP Server 2.4.68 Released With Fi
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security
Apache HTTP Server 2.4.68 Released With Fix For Use-After-Free, DoS, XSS, and Buffer Overflow Flaws
By Guru Baran
June 9, 2026
The Apache Software Foundation released Apache HTTP Server version 2.4.68 on June 8, 2026, addressing 13 security vulnerabilities spanning multiple modules.
The patched flaws include use-after-free conditions, cross-site scripting, heap-based buffer overflows, denial-of-service, privilege escalation, and out-of-bounds read issues affecting all versions from 2.4.0 through 2.4.67.
Administrators running any prior release are strongly urged to upgrade immediately.
Apache HTTP Server 2.4.68
Use-After-Free (UAF) Flaws
Two use-after-free vulnerabilities were patched in this release. CVE-2026-29167 affects mod_ldap in per-directory configurations, where a dangling pointer can be triggered across versions 2.4.0–2.4.67, discovered by Pavel Kohout of Aisle Research.
The second, CVE-2026-48913, impacts the mod_http2 module when file handles are already exhausted — affecting the narrower range of 2.4.55–2.4.67 — and was reported by Sam Lovejoy of IBM X-Force Offensive Research (XOR).
Cross-Site Scripting (XSS)
CVE-2026-29170 describes an XSS flaw in mod_proxy_ftp‘s HTML directory listing generation. When Apache proxies FTP directory contents — either via forward or reverse proxy — unsanitized output can allow script injection. This low-severity issue affects all versions through 2.4.67 and was also discovered by Pavel Kohout of Aisle Research.
Buffer Overflow and Memory Corruption
Four buffer overflow vulnerabilities were remediated:
CVE-2026-34355 (moderate) — A buffer overflow in mod_proxy_html exploitable by an untrusted backend server, found by Elhanan Haenel and Junhui Lee
CVE-2026-34356 (low) — A heap-based overflow in ProxyPassReverseCookieMap triggered via malicious backend servers, discovered by Arkadi Vainbrand and depthfirst
CVE-2026-42536 (low) — A heap overflow in mod_xml2enc via xml2StartParse with untrusted content, reported by Zhenpeng (Leo) Lin of depthfirst
CVE-2026-44631 (low) — A heap underwrite in ap_regname caused by signed char overflow in crafted regex configurations, found by Lin and Bartlomiej Dmitruk
Denial of Service
Two DoS vulnerabilities were fixed. CVE-2026-49975 (moderate) allows memory allocation exhaustion in mod_http2 via malicious HTTP/2 requests, affecting versions 2.4.17–2.4.67, discovered by Quang Luong of Calif.IO in collaboration with OpenAI Codex. CVE-2026-44186 (moderate) triggers an infinite loop in mod_proxy_ftp‘s handler via an attacker-controlled backend FTP server.
Other Notable Fixes
CVE-2026-43951 (moderate) — An out-of-bounds read in merge_response_headers when mod_headers and mod_mime handle multiple response languages, causing child process crashes
CVE-2026-42535 (moderate) — A path handling flaw in mod_dav_fs allowing WebDAV authors to manipulate trusted DAV property databases
CVE-2026-44185 (low) — A stack buffer over-read in mod_ssl‘s OCSP send_request via attacker-controlled OCSP servers
CVE-2026-44119 (moderate) — A privilege escalation flaw allowing local .htaccess authors to read files with httpd user privileges, reported by 10 independent researchers
CVE Module Severity Type
CVE-2026-29167 mod_ldap Low Use-After-Free
CVE-2026-29170 mod_proxy_ftp Low XSS
CVE-2026-34355 mod_proxy_html Moderate Buffer Overflow
CVE-2026-34356 ProxyPassReverseCookieMap Low Heap Overflow
CVE-2026-42535 mod_dav_fs Moderate Path Handling
CVE-2026-42536 mod_xml2enc Low Heap Overflow
CVE-2026-43951 mod_headers/mod_mime Moderate OOB Read
CVE-2026-44119 .htaccess expressions Moderate Privilege Escalation
CVE-2026-44185 mod_ssl OCSP Low Buffer Over-Read
CVE-2026-44186 mod_proxy_ftp Moderate DoS (Infinite Loop)
CVE-2026-44631 ap_regname Low Heap Underwrite
CVE-2026-48913 mod_http2 Low Use-After-Free
CVE-2026-49975 mod_http2 Moderate DoS
The Apache Software Foundation recommends all users upgrade to Apache HTTP Server 2.4.68 immediately. No workarounds are available for most of these vulnerabilities. The updated release is available via the official Apache download page.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Agentic AI Red Teaming Reveals Zero-Click Human-in-the-Loop Bypass Attack Chains
UNC3753 Attacking US Law Firms Using Vishing and RMM Tools to Exfiltrate Data
Malicious Browser Add-Ons Target ChatGPT, Claude, Copilot, Gemini, and DeepSeek Users
Comodo Internet Security 0-Day Vulnerability Lets Attacker Crash the User’s Windows System
Free Apps on Samsung and LG Smart TVs Secretly Turning Your Devices Into AI Proxies
Latest News
Cyber Security
New Shai-Hulud Attack Compromises 23 PyPI Packages to Target MCP Developers
Cyber Security News
New China-Linked Threat Cluster OP-512 Targets IIS Servers With Cryptographically Unique Web Shell Framework
Cyber Security
Check Point VPN 0-day Vulnerability Exploited in the Wild to Deploy Ransomware
Cyber Security
New Linux Kernel Vulnerability Lets Attackers Escalate Privileges to Root
Cyber Security News
New Pink Hacking Group Attacking Enterprise Users to Steal Cloud Storage Passwords