Description
Heap-based Buffer Overflow vulnerability in Apache HTTP Server with mod_xml2enc, xml2StartParse, and untrusted content

This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.

Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Published: 2026-06-08
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap-based buffer overflow occurs when Apache HTTP Server processes untrusted XML content through mod_xml2enc, specifically during the xml2StartParse function. The vulnerability could allow an attacker to manipulate allocated memory on the heap, potentially leading to application crashes or the execution of arbitrary code. The unsafe handling of untrusted XML data enables the attacker to trigger the overflow during normal HTTP request processing, making the flaw exploitable remotely.

Affected Systems

The flaw affects Apache HTTP Server versions 2.4.0 through 2.4.67 released by the Apache Software Foundation. Users running any of these builds are at risk until they upgrade to a version that contains the fix.

Risk and Exploitability

The vulnerability is a classic heap buffer overflow (CWE-122). No EPSS score is available, and the flaw is not listed in CISA KEV. While the exact CVSS base score is not provided, the nature of the flaw suggests a high potential for remote exploitation. The attack vector is inferred to be remote, via crafted XML sent over HTTP to the vulnerable server. An attacker could likely cause a crash or hijack execution if the exploit succeeds.

Generated by OpenCVE AI on June 8, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading Apache HTTP Server to version 2.4.68 or later
  • If upgrading immediately is not possible, configure the server to drop or reject XML requests sent to mod_xml2enc to limit exposure
  • Continuously monitor server logs and network traffic for abnormal XML payloads and signs of exploitation attempts

Generated by OpenCVE AI on June 8, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache http Server
Vendors & Products Apache
Apache http Server

Mon, 08 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Heap-based Buffer Overflow vulnerability in Apache HTTP Server with mod_xml2enc, xml2StartParse, and untrusted content This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Title Apache HTTP Server: mod_xml2enc heap overflow
Weaknesses CWE-122
References

Subscriptions

Apache Http Server
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-08T15:23:46.290Z

Reserved: 2026-04-28T16:06:25.760Z

Link: CVE-2026-42536

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-08T16:16:39.263

Modified: 2026-06-08T16:16:39.263

Link: CVE-2026-42536

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T17:30:06Z

Weaknesses