Description
Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md via OCSP response data.

This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Published: 2026-05-05
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache HTTP Server’s mod_md module processes OCSP responses without imposing a limit on the size of the data it receives. When an attacker supplies an oversized or malicious OCSP response, the module allocates memory proportional to that response, which can exhaust the server’s available resources. The effect is a denial of service that can halt or severely degrade the HTTP server for all users. This is a resource allocation flaw without limits, identified as CWE‑770. The CVSS score is 7.3.

Affected Systems

The vulnerability is present in Apache HTTP Server versions 2.4.30 through 2.4.66, which include the mod_md module. Any deployment that enables mod_md to perform OCSP validation is affected. The vendor is the Apache Software Foundation and the product is Apache HTTP Server.

Risk and Exploitability

The CVSS score is 7.3, indicating a high potential impact. EPSS is not available and this issue is not listed in the CISA KEV catalog, suggesting no publicly known exploits. Based on the description, the likely attack vector is remote and would require an attacker to trigger OCSP response handling by sending a large or malformed OCSP payload to the server. The inference is that the module must be reachable over the network and that the attacker can influence the content of the OCSP response it processes.

Generated by OpenCVE AI on May 5, 2026 at 17:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache HTTP Server to version 2.4.67 or later, which includes a size check for OCSP responses in mod_md.
  • If OCSP validation is not required for your environment, disable or remove the mod_md module to eliminate the attack surface.
  • After applying the patch or disabling the module, monitor server memory usage and response times to verify that the denial of service risk has been mitigated.

Generated by OpenCVE AI on May 5, 2026 at 17:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 17:30:00 +0000

Type Values Removed Values Added
References

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Title Apache HTTP Server: mod_md unrestricted OCSP response
First Time appeared Apache
Apache http Server
Weaknesses CWE-770
CPEs cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache http Server
References

Subscriptions

Apache Http Server
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-05T16:31:49.391Z

Reserved: 2026-03-04T11:48:34.053Z

Link: CVE-2026-29168

cve-icon Vulnrichment

Updated: 2026-05-05T16:31:49.391Z

cve-icon NVD

Status : Received

Published: 2026-05-05T14:16:08.507

Modified: 2026-05-05T17:17:04.077

Link: CVE-2026-29168

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T17:45:06Z

Weaknesses