CVE-2026-29168 - Vulnerability Details

- Apache HTTP Server: mod_md unrestricted OCSP response

Description

Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's mod_md via OCSP response data.

This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Published: 2026-05-05

Score: 7.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Apache HTTP Server’s mod_md module processes OCSP responses without imposing a limit on the size of the data it receives. When an attacker supplies an oversized or malicious OCSP response, the module allocates memory proportional to that response, which can exhaust the server’s available resources. The effect is a denial of service that can halt or severely degrade the HTTP server for all users. This is a resource allocation flaw without limits, identified as CWE‑770. The CVSS score is 7.3.

Affected Systems

The vulnerability is present in Apache HTTP Server versions 2.4.30 through 2.4.66, which include the mod_md module. Any deployment that enables mod_md to perform OCSP validation is affected. The vendor is the Apache Software Foundation and the product is Apache HTTP Server.

Risk and Exploitability

The CVSS score is 7.3, indicating a high potential impact. EPSS is not available and this issue is not listed in the CISA KEV catalog, suggesting no publicly known exploits. Based on the description, the likely attack vector is remote and would require an attacker to trigger OCSP response handling by sending a large or malformed OCSP payload to the server. The inference is that the module must be reachable over the network and that the attacker can influence the content of the OCSP response it processes.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache HTTP Server

unaffected

Version	Status	Constraints
`2.4.30`	affected	≤ 2.4.66

Configuration 1 [-]

cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Apache

Http Server

95%

Version	Status	Scheme	Platform
`[2.4.30,2.4.66]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Apache HTTP Server to version 2.4.67 or later, which includes a size check for OCSP responses in mod_md.
If OCSP validation is not required for your environment, disable or remove the mod_md module to eliminate the attack surface.
After applying the patch or disabling the module, monitor server memory usage and response times to verify that the denial of service risk has been mitigated.

Generated by OpenCVE AI on May 5, 2026 at 17:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4571-1	[ERRATUM] [DLA 4571-1] apache2 security update
Debian DSA	DSA-6248-1	apache2 security update
Ubuntu USN	USN-8239-1	Apache HTTP Server vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00035.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/05/05/6
https://httpd.apache.org/security/vulnerabilities_24.html
https://nvd.nist.gov/vuln/detail/CVE-2026-29168
https://www.cve.org/CVERecord?id=CVE-2026-29168

History

Wed, 13 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-29168 https://www.cve.org/CVERecord?id=CVE-2026-29168
Metrics	threat_severity `None`	threat_severity `Moderate`

Tue, 05 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/05/05/6

Tue, 05 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 05 May 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Title		Apache HTTP Server: mod_md unrestricted OCSP response
First Time appeared		Apache Apache http Server
Weaknesses		CWE-770
CPEs		cpe:2.3:a:apache:http_server::::::::
Vendors & Products		Apache Apache http Server
References		https://httpd.apache.org/security/vulnerabilities_24.html

Subscriptions

Apache Http Server

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-05-05T13:10:05.656Z

Updated: 2026-05-05T16:31:49.391Z

Reserved: 2026-03-04T11:48:34.053Z

Link: CVE-2026-29168

Vulnrichment

Updated: 2026-05-05T16:31:49.391Z

NVD

Status : Analyzed

Published: 2026-05-05T14:16:08.507

Modified: 2026-05-06T18:39:20.980

Link: CVE-2026-29168

Redhat

Severity : Moderate

Publid Date: 2026-05-05T13:10:05Z

Links: CVE-2026-29168 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-05T17:45:06Z

Weaknesses

CWE-770

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object