Apache HTTP Server 2.4.68 Released to Fix Critical Vulnerabilities

Apache HTTP Server 2.4.68 Released to Fix Critical Vulnerabilities

Posted on By CWS

The Apache Software Foundation has announced the release of Apache HTTP Server version 2.4.68 on June 8, 2026. This latest update addresses 13 significant security vulnerabilities that impact various modules within the server. Administrators are strongly advised to update to this version to enhance security and functionality.

Critical Security Flaws Patched

This update resolves multiple security issues including use-after-free conditions, cross-site scripting (XSS), heap-based buffer overflows, denial-of-service (DoS) attacks, privilege escalation, and out-of-bounds read problems. These vulnerabilities affect all versions from 2.4.0 to 2.4.67, making the update essential for users on any prior version.

Details on Use-After-Free and XSS Issues

Two notable use-after-free vulnerabilities have been addressed. CVE-2026-29167 involves the mod_ldap module in per-directory configurations and was found across versions 2.4.0 to 2.4.67, reported by Pavel Kohout of Aisle Research. The second, CVE-2026-48913, affects the mod_http2 module, specifically when file handles are exhausted. This issue, reported by Sam Lovejoy of IBM X-Force Offensive Research (XOR), impacts versions 2.4.55 through 2.4.67.

An XSS vulnerability, CVE-2026-29170, was identified in the mod_proxy_ftp module, where unsanitized output can be exploited during FTP directory listings. This flaw affects all versions up to 2.4.67 and was discovered by Pavel Kohout.

Buffer Overflow and Denial-of-Service Vulnerabilities

Four buffer overflow issues have been corrected. These include CVE-2026-34355, a moderate severity buffer overflow in mod_proxy_html discovered by Elhanan Haenel and Junhui Lee, and CVE-2026-34356, a heap-based overflow in ProxyPassReverseCookieMap, identified by Arkadi Vainbrand and depthfirst.

Further, CVE-2026-42536, a heap overflow in mod_xml2enc, was reported by Zhenpeng (Leo) Lin of depthfirst. CVE-2026-44631, a heap underwrite vulnerability in ap_regname, was found by Lin and Bartlomiej Dmitruk.

Two notable DoS vulnerabilities were fixed. CVE-2026-49975, allowing memory exhaustion in mod_http2, was discovered by Quang Luong of Calif.IO in collaboration with OpenAI Codex. CVE-2026-44186 could trigger an infinite loop in mod_proxy_ftp, reported by attacker-controlled backend FTP server actions.

Recommendation and Future Updates

The Apache Software Foundation strongly advocates for an immediate upgrade to version 2.4.68, as no workarounds are available for most of these vulnerabilities. The updated version can be downloaded from the official Apache website.

For continued updates and information, users can follow the Apache Software Foundation on platforms such as Google News, LinkedIn, and X.

Cyber Security News Tags:, , , , , , , , , ,

Related Posts

PoC exploit Released for VMware Workstation guest-to-host escape Vulnerability PoC exploit Released for VMware Workstation guest-to-host escape Vulnerability Cyber Security News
CyberVolk Hackers Group With New VolkLocker Payloads Attacks both Linux and Windows Systems CyberVolk Hackers Group With New VolkLocker Payloads Attacks both Linux and Windows Systems Cyber Security News
Users Report Teams and Access Issues Users Report Teams and Access Issues Cyber Security News
Threat actors Allegedly Claim Discord Dataset Containing 78,541,207 Files Threat actors Allegedly Claim Discord Dataset Containing 78,541,207 Files Cyber Security News
CISA Alerts on Active Microsoft Exchange Vulnerability CISA Alerts on Active Microsoft Exchange Vulnerability Cyber Security News
NightSpire Ransomware Exploits RDP for Covert Operations NightSpire Ransomware Exploits RDP for Covert Operations Cyber Security News