CVE-2026-34355 - Vulnerability Details

- Apache HTTP Server: mod_proxy_html buffer overflow

Description

A buffer overflow in mod_proxy_html in Apache HTTP Server 2.4.67 and earlier allows an attack by an untrusted backend.
Users are recommended to upgrade to version 2.4.68, which fixes this issue.

Published: 2026-06-08

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a stack‑based buffer overflow in Apache HTTP Server’s mod_proxy_html component. It occurs when the module improperly processes responses from a backend server. Based on the description, it is inferred that an attacker can trigger the overflow by directing the server to proxy content from an untrusted backend. The resulting memory corruption may cause the server to crash or, in the worst case, allow arbitrary code execution if the attacker can control the overflowed data. The weakness is identified as CWE‑120 and CWE‑122.

Affected Systems

The flaw affects Apache HTTP Server, versions 2.4.67 and earlier, which include the mod_proxy_html module. The vendor recommends upgrading to version 2.4.68 or later to apply the patch that fixes the buffer handling in the proxy module.

Risk and Exploitability

The CVSS score of 7.5 denotes high severity, and the EPSS score is < 1%, indicating a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote over the network, requiring an attacker to send crafted requests that trigger the faulty proxy handling. The exploit does not require local privileges and can be executed from an external host that can communicate with the web server.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache HTTP Server

unaffected

Version	Status	Constraints
`2.4.0`	affected	≤ 2.4.67

Configuration 1 [-]

cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Apache

Http Server

95%

Version	Status	Scheme	Platform
`[2.4.0,2.4.67]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Apache HTTP Server to version 2.4.68 or later, which resolves the buffer overflow in mod_proxy_html.
If the proxy module is not required for your environment, disable mod_proxy_html entirely to eliminate the attack surface.
Monitor access and error logs for abnormal proxy activity or repeated crashes that may indicate exploitation attempts.

Generated by OpenCVE AI on June 19, 2026 at 01:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4629-1	apache2 security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00565.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/06/08/6
https://httpd.apache.org/security/vulnerabilities_24.html
https://nvd.nist.gov/vuln/detail/CVE-2026-34355
https://www.cve.org/CVERecord?id=CVE-2026-34355

History

Fri, 19 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-120
References		https://nvd.nist.gov/vuln/detail/CVE-2026-34355 https://www.cve.org/CVERecord?id=CVE-2026-34355
Metrics	threat_severity `None`	threat_severity `Important`

Tue, 09 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:apache:http_server::::::::

Mon, 08 Jun 2026 23:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/06/08/6

Mon, 08 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 08 Jun 2026 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache http Server
Vendors & Products		Apache Apache http Server

Mon, 08 Jun 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		A buffer overflow in mod_proxy_html in Apache HTTP Server 2.4.67 and earlier allows an attack by an untrusted backend. Users are recommended to upgrade to version 2.4.68, which fixes this issue.
Title		Apache HTTP Server: mod_proxy_html buffer overflow
Weaknesses		CWE-122
References		https://httpd.apache.org/security/vulnerabilities_24.html

Subscriptions

Apache Http Server

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-06-08T15:20:30.900Z

Updated: 2026-06-08T22:32:23.731Z

Reserved: 2026-03-27T11:32:12.684Z

Link: CVE-2026-34355

Vulnrichment

Updated: 2026-06-08T22:32:23.731Z

NVD

Status : Analyzed

Published: 2026-06-08T16:16:38.387

Modified: 2026-06-09T16:20:56.597

Link: CVE-2026-34355

Redhat

Severity : Important

Publid Date: 2026-06-08T15:20:30Z

Links: CVE-2026-34355 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-19T02:00:10Z

Weaknesses

CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-122
Heap-based Buffer Overflow

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object