CRITICAL🇵🇱 Wersja polska

CVE-2026-29167

CVSS 9.8pub. 2026-06-08upd. 2026-06-09

Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.

🤖 AI Analysis
How it works

The vulnerability consists of referencing a memory area that has already been freed (use-after-free, CWE-416), in the context of processing mod_ldap configuration at the directory level. This error can lead to memory corruption in the HTTP server process. An attacker can potentially exploit this mechanism remotely over the network, without needing to possess privileges or user interaction, which reflects the CVSS vector AV:N/AC:L/PR:N/UI:N.

Impact

Successful exploitation of the vulnerability may lead to disclosure of sensitive data, modification of data or server resources, as well as complete loss of service availability — in all three dimensions the impact assessment is HIGH according to the CVSS vector.

Mitigation & patch

Apache HTTP Server must be updated immediately to version 2.4.68, which contains a patch eliminating the described vulnerability. Details are available on the vendor's website: https://httpd.apache.org/security/vulnerabilities_24.html

Who is affected

Apache HTTP Server in versions from 2.4.0 to 2.4.67 (inclusive) with mod_ldap module enabled and configuration applied at the directory level.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache HTTP Server

    APP
    Apache
    2.4.0 – 2.4.68 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Memory
CWE
References

Related vulnerabilities

CVE-2024-38475CRITICAL9.1⚠ KEVPL ✓ten sam produkt

Apache HTTP Server mod_rewrite — ujawnienie kodu i RCE poprzez błędne escapowanie

CVE-2021-42013CRITICAL9.8⚠ KEVten sam produkt

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could ...

CVE-2021-41773CRITICAL9.8⚠ KEVten sam produkt

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a ...

CVE-2021-40438CRITICAL9.0⚠ KEVten sam produkt

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remot...

CVE-2026-42535CRITICAL9.1PL ✓ten sam produkt

Apache HTTP Server mod_dav_fs — manipulacja bazą właściwości DAV i crash procesów