Description
Buffer Over-read vulnerability in Apache HTTP Server via outbound OCSP requests to an attacker controlled OCSP server

This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.

Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Published: 2026-06-08
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a stack buffer over-read that occurs in the OCSP resend logic within Apache HTTP Server’s mod_ssl module when sending outbound OCSP requests. The over-read can allow sensitive data from adjacent memory to be inadvertently exposed and can trigger an application crash, thereby disrupting service availability. No evidence indicates this flaw offers code execution or privilege escalation capabilities; its principal consequence is loss of service continuity and potential information leakage.

Affected Systems

The affected product is Apache HTTP Server, produced by the Apache Software Foundation. All releases from version 2.4.0 through 2.4.67 contain the flaw, while 2.4.68 and later versions contain the fix.

Risk and Exploitability

An attacker can trigger the vulnerability by controlling an OCSP responder that the server contacts and by inducing the web server to issue a request, for example via a crafted HTTPS connection. Because the exploit relies on outbound traffic to a server controlled by the attacker, it is a remote, network‑based vulnerability. No EPSS score is available and the flaw is not listed in the CISA KEV catalogue, suggesting that it is not currently widely exploited. The CVSS score of 7.3 indicates moderate to high severity. The severity of a crash or information leak, while disruptive, is lower than a remote code‑execution flaw, but the possibility of denial of service remains significant.

Generated by OpenCVE AI on June 8, 2026 at 20:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache HTTP Server to version 2.4.68 or later, which contains the buffer over‑read fix.
  • If upgrading immediately is not possible, configure the server to avoid using OCSP stapling or to consult a trusted OCSP responder to limit the attack surface.
  • Monitor server logs for OCSP request failures or unexpected crashes, and investigate anomalies promptly to ensure the vulnerability is not being leveraged.

Generated by OpenCVE AI on June 8, 2026 at 20:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
References

Mon, 08 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache http Server
Vendors & Products Apache
Apache http Server

Mon, 08 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Buffer Over-read vulnerability in Apache HTTP Server via outbound OCSP requests to an attacker controlled OCSP server This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Title Apache HTTP Server: Stack Buffer Over-Read in mod_ssl OCSP `send_request`
Weaknesses CWE-126
References

Subscriptions

Apache Http Server
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-08T22:32:30.948Z

Reserved: 2026-05-05T14:42:10.681Z

Link: CVE-2026-44185

cve-icon Vulnrichment

Updated: 2026-06-08T22:32:30.948Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-08T16:16:40.327

Modified: 2026-06-09T01:41:00.563

Link: CVE-2026-44185

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T20:45:32Z

Weaknesses