This vulnerability is an out‑of‑bounds read in the Apache HTTP Server's merge_response_headers routine, which is invoked when mod_headers, mod_mime, and multiple response languages are enabled. The out‑of‑bounds read can trigger a memory access violation that crashes the server, causing a denial of service. The weakness is classified as CWE‑125. The CVE does not state that the crash leads to arbitrary code execution, only that the server terminates unexpectedly.

The affected product is Apache HTTP Server from the Apache Software Foundation. Vulnerable releases range from 2.4.0 to 2.4.67 inclusive. Any installation that has the mod_headers and mod_mime modules loaded and is configured to use multiple response languages is exposed to this flaw.

The CVSS score is 6.5, indicating moderate severity. No exploit probability score is published and the vulnerability is not listed in the CISA KEV catalog. The attack vector is most likely network‑based, since the out‑of‑bounds read occurs while the server processes incoming HTTP requests and does not require authentication. Because the flaw results in an OOB read that can crash the server, an attacker may use the vulnerability to cause repeated service outages, a denial of service. The conditions for exploitation require that the affected modules, mod_headers and mod_mime, be loaded and that multiple response languages be enabled, which limits the probability of exploitation but does not eliminate it. The impact of a successful attack could lead to forced restarts or downtime for the target web server.