CVE-2026-42536 - Vulnerability Details

- Apache HTTP Server: mod_xml2enc heap overflow

Description

Heap-based Buffer Overflow vulnerability in Apache HTTP Server with mod_xml2enc, xml2StartParse, and untrusted content

This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.

Users are recommended to upgrade to version 2.4.68, which fixes the issue.

Published: 2026-06-08

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A heap-based buffer overflow occurs when Apache HTTP Server processes untrusted XML content through mod_xml2enc, specifically during the xml2StartParse function. The vulnerability could allow an attacker to manipulate allocated memory on the heap, potentially leading to application crashes or the execution of arbitrary code. The unsafe handling of untrusted XML data enables the attacker to trigger the overflow during normal HTTP request processing, making the flaw exploitable remotely.

Affected Systems

The flaw affects Apache HTTP Server versions 2.4.0 through 2.4.67 released by the Apache Software Foundation. Users running any of these builds are at risk until they upgrade to a version that contains the fix.

Risk and Exploitability

The vulnerability is a classic heap buffer overflow (CWE-120 and CWE-122). The EPSS score is less than 1%, indicating a very low but nonzero exploitation probability. The flaw is not listed in CISA KEV. The CVSS base score is 7.5, indicating a high severity and potential for remote exploitation. The attack vector is inferred to be remote, via crafted XML sent over HTTP to the vulnerable server. An attacker could likely cause a crash or hijack execution if the exploit succeeds.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache HTTP Server

unaffected

Version	Status	Constraints
`2.4.0`	affected	≤ 2.4.67

Configuration 1 [-]

cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Apache

Http Server

95%

Version	Status	Scheme	Platform
`[2.4.0,2.4.67]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor patch by upgrading Apache HTTP Server to version 2.4.68 or later
If upgrading immediately is not possible, configure the server to drop or reject XML requests sent to mod_xml2enc to limit exposure
Continuously monitor server logs and network traffic for abnormal XML payloads and signs of exploitation attempts

Generated by OpenCVE AI on June 19, 2026 at 01:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4629-1	apache2 security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00498.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/06/08/9
https://httpd.apache.org/security/vulnerabilities_24.html
https://nvd.nist.gov/vuln/detail/CVE-2026-42536
https://www.cve.org/CVERecord?id=CVE-2026-42536

History

Fri, 19 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-120
References		https://nvd.nist.gov/vuln/detail/CVE-2026-42536 https://www.cve.org/CVERecord?id=CVE-2026-42536
Metrics	threat_severity `None`	threat_severity `Important`

Tue, 09 Jun 2026 16:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:apache:http_server::::::::

Mon, 08 Jun 2026 23:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/06/08/9

Mon, 08 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 08 Jun 2026 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache http Server
Vendors & Products		Apache Apache http Server

Mon, 08 Jun 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		Heap-based Buffer Overflow vulnerability in Apache HTTP Server with mod_xml2enc, xml2StartParse, and untrusted content This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Title		Apache HTTP Server: mod_xml2enc heap overflow
Weaknesses		CWE-122
References		https://httpd.apache.org/security/vulnerabilities_24.html

Subscriptions

Apache Http Server

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-06-08T15:23:46.290Z

Updated: 2026-06-08T22:32:27.355Z

Reserved: 2026-04-28T16:06:25.760Z

Link: CVE-2026-42536

Vulnrichment

Updated: 2026-06-08T22:32:27.355Z

NVD

Status : Analyzed

Published: 2026-06-08T16:16:39.263

Modified: 2026-06-09T15:55:19.853

Link: CVE-2026-42536

Redhat

Severity : Important

Publid Date: 2026-06-08T15:23:46Z

Links: CVE-2026-42536 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-19T01:30:16Z

Weaknesses

CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-122
Heap-based Buffer Overflow

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object