Description
A buffer overflow in mod_proxy_html in Apache HTTP Server 2.4.67 and earlier allows an attack by an untrusted backend.
Users are recommended to upgrade to version 2.4.68, which fixes this issue.
Published: 2026-06-08
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic buffer overflow located in Apache HTTP Server’s mod_proxy_html component. An attacker who can instruct the server to proxy content from an untrusted backend can cause the server to read or write beyond the bounds of a buffer, potentially allowing arbitrary code execution or a crash. The weakness is identified as CWE‑122, a classic stack buffer overflow scenario that can lead to full control over the affected process.

Affected Systems

The flaw affects Apache Software Foundation’s Apache HTTP Server, specifically all releases up to and including 2.4.67. The vendor recommends updating to version 2.4.68, which contains a patch that eliminates the overflow by correcting the handling of backend responses.

Risk and Exploitability

No CVSS score is publicly disclosed, and EPSS data is unavailable, indicating no current quantifiable estimate of exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. The likely attack path involves sending crafted requests to the server that trigger the mis‑handled proxying of data, making this a remote exploit that requires only network access and does not rely on local privileges.

Generated by OpenCVE AI on June 8, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache HTTP Server to version 2.4.68 or later, which resolves the buffer overflow in mod_proxy_html.
  • If the proxy module is not required for your environment, disable mod_proxy_html entirely to remove the attack surface.
  • Monitor your access logs and error logs for abnormal proxy activity or repeated crashes that may indicate exploitation attempts.

Generated by OpenCVE AI on June 8, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache http Server
Vendors & Products Apache
Apache http Server

Mon, 08 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description A buffer overflow in mod_proxy_html in Apache HTTP Server 2.4.67 and earlier allows an attack by an untrusted backend. Users are recommended to upgrade to version 2.4.68, which fixes this issue.
Title Apache HTTP Server: mod_proxy_html buffer overflow
Weaknesses CWE-122
References

Subscriptions

Apache Http Server
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-08T18:12:38.389Z

Reserved: 2026-03-27T11:32:12.684Z

Link: CVE-2026-34355

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-08T16:16:38.387

Modified: 2026-06-08T16:16:38.387

Link: CVE-2026-34355

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T17:30:06Z

Weaknesses