Description
Heap-based Buffer Overflow vulnerability in Apache HTTP Server with malicious backend servers and ProxyPassReverseCookie*

This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.

Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Published: 2026-06-08
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Heap-based buffer overflow in Apache HTTP Server is triggered by malicious backend servers using ProxyPassReverseCookie* directives. The flaw can corrupt data on the server’s heap, potentially allowing an attacker to compromise the integrity of the HTTP server process.

Affected Systems

Apache HTTP Server versions 2.4.0 through 2.4.67 are affected. The vendor recommends upgrading to 2.4.68 or later to address the issue.

Risk and Exploitability

The vulnerability can be exploited by an attacker who controls a backend server that the proxy forwards to. No EPSS score is available and the vulnerability is not listed in CISA KEV, but the CVSS score of 7.5 indicates a high‑severity flaw that requires mitigation. Upgrading to the patched release eliminates the vulnerability.

Generated by OpenCVE AI on June 8, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache HTTP Server to version 2.4.68 or later to apply the buffer overflow fix.
  • Restrict the use of ProxyPassReverseCookie* directives to trusted backend servers only.
  • Ensure that proxy configuration files are protected so that only privileged administrators can modify them.

Generated by OpenCVE AI on June 8, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
References

Mon, 08 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache apache Http Server
Vendors & Products Apache
Apache apache Http Server

Mon, 08 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Heap-based Buffer Overflow vulnerability in Apache HTTP Server with malicious backend servers and ProxyPassReverseCookie* This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Title Apache HTTP Server: ProxyPassReverseCookieMap buffer overflow
Weaknesses CWE-122
References

Subscriptions

Apache Apache Http Server
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-08T22:32:24.906Z

Reserved: 2026-03-27T11:47:04.086Z

Link: CVE-2026-34356

cve-icon Vulnrichment

Updated: 2026-06-08T22:32:24.906Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-08T16:16:38.537

Modified: 2026-06-09T01:41:00.563

Link: CVE-2026-34356

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T20:30:06Z

Weaknesses