Description
Heap-based Buffer Overflow vulnerability in Apache HTTP Server with malicious backend servers and ProxyPassReverseCookie*

This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.

Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Published: 2026-06-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Heap-based buffer overflow in Apache HTTP Server is triggered by malicious backend servers using ProxyPassReverseCookie* directives. The flaw can corrupt data on the server’s heap, potentially allowing an attacker to compromise the integrity of the HTTP server process.

Affected Systems

Apache HTTP Server versions 2.4.0 through 2.4.67 are affected. The vendor recommends upgrading to 2.4.68 or later to address the issue.

Risk and Exploitability

The vulnerability can be exploited by an attacker who controls a backend server that the proxy forwards to. The EPSS score is less than 1%, indicating a very low but nonzero exploitation probability, and the vulnerability is not listed in CISA KEV. The CVSS score of 7.5 indicates a high‑severity flaw that requires mitigation. Upgrading to the patched release eliminates the vulnerability.

Generated by OpenCVE AI on June 19, 2026 at 01:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache HTTP Server to version 2.4.68 or later to apply the buffer overflow fix.
  • Restrict the use of ProxyPassReverseCookie* directives to trusted backend servers only.
  • Ensure that proxy configuration files are protected so that only privileged administrators can modify them.

Generated by OpenCVE AI on June 19, 2026 at 01:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4629-1 apache2 security update
History

Fri, 19 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache http Server
CPEs cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
Vendors & Products Apache http Server

Mon, 08 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
References

Mon, 08 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache apache Http Server
Vendors & Products Apache
Apache apache Http Server

Mon, 08 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Heap-based Buffer Overflow vulnerability in Apache HTTP Server with malicious backend servers and ProxyPassReverseCookie* This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Title Apache HTTP Server: ProxyPassReverseCookieMap buffer overflow
Weaknesses CWE-122
References

Subscriptions

Apache Apache Http Server Http Server
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-08T22:32:24.906Z

Reserved: 2026-03-27T11:47:04.086Z

Link: CVE-2026-34356

cve-icon Vulnrichment

Updated: 2026-06-08T22:32:24.906Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-08T16:16:38.537

Modified: 2026-06-09T16:17:19.160

Link: CVE-2026-34356

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-08T15:12:21Z

Links: CVE-2026-34356 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T02:00:10Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

  • CWE-122

    Heap-based Buffer Overflow