Apache HTTP Server 2.4.68 Released With Fix For Use-After-Free, DoS, XSS, and Buffer Overflow Flaws

The Apache Software Foundation released Apache HTTP Server version 2.4.68 on June 8, 2026, addressing 13 security vulnerabilities spanning multiple modules.

The patched flaws include use-after-free conditions, cross-site scripting, heap-based buffer overflows, denial-of-service, privilege escalation, and out-of-bounds read issues affecting all versions from 2.4.0 through 2.4.67.

Administrators running any prior release are strongly urged to upgrade immediately.

Apache HTTP Server 2.4.68

Use-After-Free (UAF) Flaws

Two use-after-free vulnerabilities were patched in this release. CVE-2026-29167 affects mod_ldap in per-directory configurations, where a dangling pointer can be triggered across versions 2.4.0–2.4.67, discovered by Pavel Kohout of Aisle Research.

The second, CVE-2026-48913, impacts the mod_http2 module when file handles are already exhausted — affecting the narrower range of 2.4.55–2.4.67 — and was reported by Sam Lovejoy of IBM X-Force Offensive Research (XOR).

Cross-Site Scripting (XSS)

CVE-2026-29170 describes an XSS flaw in mod_proxy_ftp‘s HTML directory listing generation. When Apache proxies FTP directory contents — either via forward or reverse proxy — unsanitized output can allow script injection. This low-severity issue affects all versions through 2.4.67 and was also discovered by Pavel Kohout of Aisle Research.

Buffer Overflow and Memory Corruption

Four buffer overflow vulnerabilities were remediated:

• CVE-2026-34355 (moderate) — A buffer overflow in mod_proxy_html exploitable by an untrusted backend server, found by Elhanan Haenel and Junhui Lee
• CVE-2026-34356 (low) — A heap-based overflow in ProxyPassReverseCookieMap triggered via malicious backend servers, discovered by Arkadi Vainbrand and depthfirst
• CVE-2026-42536 (low) — A heap overflow in mod_xml2enc via xml2StartParse with untrusted content, reported by Zhenpeng (Leo) Lin of depthfirst
• CVE-2026-44631 (low) — A heap underwrite in ap_regname caused by signed char overflow in crafted regex configurations, found by Lin and Bartlomiej Dmitruk

Denial of Service

Two DoS vulnerabilities were fixed. CVE-2026-49975 (moderate) allows memory allocation exhaustion in mod_http2 via malicious HTTP/2 requests, affecting versions 2.4.17–2.4.67, discovered by Quang Luong of Calif.IO in collaboration with OpenAI Codex. CVE-2026-44186 (moderate) triggers an infinite loop in mod_proxy_ftp‘s handler via an attacker-controlled backend FTP server.

Other Notable Fixes

• CVE-2026-43951 (moderate) — An out-of-bounds read in merge_response_headers when mod_headers and mod_mime handle multiple response languages, causing child process crashes
• CVE-2026-42535 (moderate) — A path handling flaw in mod_dav_fs allowing WebDAV authors to manipulate trusted DAV property databases
• CVE-2026-44185 (low) — A stack buffer over-read in mod_ssl‘s OCSP send_request via attacker-controlled OCSP servers
• CVE-2026-44119 (moderate) — A privilege escalation flaw allowing local .htaccess authors to read files with httpd user privileges, reported by 10 independent researchers

The Apache Software Foundation recommends all users upgrade to Apache HTTP Server 2.4.68 immediately. No workarounds are available for most of these vulnerabilities. The updated release is available via the official Apache download page.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.