Apache has released new security patches addressing critical and high-severity vulnerabilities in its HTTP Server and MINA project. These updates, announced on Monday, fix issues that could potentially allow remote code execution (RCE).
Details of the Apache HTTP Server Patch
The latest version, Apache HTTP Server 2.4.67, includes fixes for 11 security flaws. Notably, 10 of these vulnerabilities affect all previous versions of the software. Among these is CVE-2026-23918, a critical double-free and possible RCE vulnerability within the HTTP/2 protocol. Attackers could exploit this flaw by initiating an early reset, potentially leading to a denial-of-service (DoS) attack and arbitrary code execution.
Another significant issue addressed is CVE-2026-28780, which is a heap buffer overflow vulnerability. This flaw allows remote attackers to craft AJP messages to cause a DoS condition and execute malicious code. Additionally, three other vulnerabilities, identified as CVE-2026-29168, CVE-2026-29169, and CVE-2026-33007, pose risks of DoS attacks.
Information Disclosure and Security Weaknesses
The update also mitigates several vulnerabilities that could lead to information disclosure, including CVE-2026-24072, CVE-2026-33857, CVE-2026-34032, and CVE-2026-34059. Furthermore, CVE-2026-33523, a CRLF sequence neutralization issue, allows attackers to manipulate HTTP responses. Another critical patch addresses a timing side-channel weakness, tracked as CVE-2026-33006, which could facilitate Digest authentication bypass.
Apache MINA Updates
In addition to HTTP Server updates, Apache has rolled out MINA 2.2.7 and MINA 2.1.12. These versions rectify two critical vulnerabilities, which include CVE-2026-42778 and CVE-2026-42779. The former is an incomplete fix for previous deserialization vulnerabilities, while the latter addresses an improper check flaw, both of which could lead to RCE.
Apache advises organizations to explicitly configure their systems to accept only trusted classes in the ObjectSerializationDecoder instance following these updates, ensuring enhanced security.
As vulnerabilities continue to emerge, these updates are crucial for maintaining the integrity and security of systems relying on Apache’s software. Organizations are strongly urged to apply these patches immediately to safeguard against potential exploits.
