An introduced release of the HTTP server Apache 2.4.68 has been announced, addressing 13 vulnerabilities and implementing various changes.
The resolved vulnerabilities are classified into two categories based on severity. The first 6 have a moderate level of severity, while the rest are considered low risk:
- CVE-2026-34355 – Buffer overflow in mod_proxy_html, triggered by accessing an attacker-controlled backend.
- CVE-2026-49975 – Denial of service vulnerability causing memory exhaustion for the process.
- CVE-2026-44186 – Infinite loop vulnerability in mod_proxy_ftp module when connecting to an attacker-controlled FTP server.
- CVE-2026-44119 – Local users with .htaccess file creation permissions can read file contents with httpd user privileges.
- CVE-2026-43951 – Process crash due to out-of-bounds memory read in mod_headers and mod_mime.
- CVE-2026-42535 – Vulnerability in mod_dav_fs allowing WebDAV content authors elevated directory access.
- CVE-2026-29167 – Memory access after release vulnerability in mod_ldap.
- CVE-2026-29170 – Cross-site scripting vulnerability in mod_proxy_ftp.
- CVE-2026-34356 – Buffer overflow in ProxyPassReverseCookieMap implementation.
- CVE-2026-42536 – Buffer overflow in mod_xml2enc.
- CVE-2026-44185 – Out-of-buffer read in mod_ssl when requesting the attacker’s OCSP server.
- CVE-2026-44631 – Buffer overflow in processing regular expressions in the configuration.
- CVE-2026-48913 – Memory access after freeing vulnerability in mod_http2, occurring when exhausting available file descriptors.
Among the non-security improvements are:
/Reports, release notes, official announcements.