Description
Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server.

This issue affects Apache HTTP Server: through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Published: 2026-05-04
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from an improper null termination in the ajp_msg_get_string function within Apache HTTP Server’s mod_proxy_ajp module, causing an out‑of‑bounds read. The over‑read can expose arbitrary memory contents of the server process, leading to information disclosure, and may trigger a crash, resulting in denial of service. The weakness is classified as CWE-125 (Out‑of‑Bounds Read) and CWE-170 (Improper Null Termination).

Affected Systems

Apache Software Foundation’s Apache HTTP Server is affected through version 2.4.66. Users are advised to upgrade to version 2.4.67 or later, where the null‑termination check has been restored.

Risk and Exploitability

This vulnerability is accessible remotely via the AJP protocol; based on the description, it is inferred that an attacker can send a specially crafted request to trigger the over‑read. The CVSS score is 5.3, EPSS is not available, and the issue is not listed in CISA’s KEV catalog. While the probability of exploitation is unknown, the remote nature of the attack, coupled with the potential for data leakage or service disruption, warrants prompt action.

Generated by OpenCVE AI on May 4, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache HTTP Server to version 2.4.67 or later to apply the fix for the missing null‑termination check in mod_proxy_ajp.
  • If mod_proxy_ajp is not required, disable the module to eliminate the vulnerable code path.
  • Restrict the AJP port to trusted networks only, and consider wrapping it in a firewall or VPN to reduce exposure to external attackers.

Generated by OpenCVE AI on May 4, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

Mon, 04 May 2026 18:30:00 +0000

Type Values Removed Values Added
References

Mon, 04 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache http Server
Vendors & Products Apache
Apache http Server

Mon, 04 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Title Apache HTTP Server: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string)
Weaknesses CWE-125
CWE-170
References

Subscriptions

Apache Http Server
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-04T17:32:51.452Z

Reserved: 2026-03-25T13:39:27.421Z

Link: CVE-2026-34032

cve-icon Vulnrichment

Updated: 2026-05-04T17:32:51.452Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-04T14:16:33.447

Modified: 2026-05-04T20:25:47.733

Link: CVE-2026-34032

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T16:00:04Z

Weaknesses