Description
Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration.

This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.

Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Published: 2026-06-08
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a buffer underflow caused by a signed character overflow in the `ap_regname` function, which processes regular expression patterns in Apache HTTP Server configuration files. This flaw falls under CWE-124 and can lead to memory corruption that may allow an attacker to execute arbitrary code or crash the server. Because the affected area lies in the parsing of configuration directives, exploitation would require malformed configuration input to trigger the overflow.

Affected Systems

Apache HTTP Server version 2.4.0 through 2.4.67 are vulnerable. Versions 2.4.68 and later include the fix. The issue is specific to the HTTP server component of the Apache Software Foundation's product line.

Risk and Exploitability

The CVSS score is 9.8, and EPSS is not available; the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is configuration‑based, meaning that an attacker would need the ability to inject crafted regular expressions into the server's configuration file. This typically requires local or privileged access or a web interface that allows configuration changes. Given the absence of a publicly available exploit and the need for configuration modification, the risk is considered moderate, but the potential for remote code execution warrants prompt remediation.

Generated by OpenCVE AI on June 8, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Apache HTTP Server 2.4.68 or later to apply the fix.
  • Restrict write access to configuration directories so that only trusted administrators may alter files that contain regular expression patterns.
  • Monitor the server for abnormal crash events or memory corruption signs, and review logs for suspicious configuration changes.

Generated by OpenCVE AI on June 8, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
References

Mon, 08 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache apache Http Server
Vendors & Products Apache
Apache apache Http Server

Mon, 08 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Title Apache HTTP Server: Heap Underflow in `ap_regname` via Signed Char Overflow
Weaknesses CWE-124
References

Subscriptions

Apache Apache Http Server
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-08T22:32:33.325Z

Reserved: 2026-05-07T12:39:02.065Z

Link: CVE-2026-44631

cve-icon Vulnrichment

Updated: 2026-06-08T22:32:33.325Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-08T16:16:40.583

Modified: 2026-06-09T01:41:00.563

Link: CVE-2026-44631

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T21:30:06Z

Weaknesses