CRITICALπŸ‡΅πŸ‡± Wersja polska

CVE-2026-44631

CVSS 9.8v3.1pub. 2026-06-08upd. 2026-06-11

Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.

πŸ€– AI Analysis
How it works

The vulnerability is a buffer underwrite error that can be triggered through specially crafted regular expressions placed in Apache HTTP Server configuration. Writing data below the lower boundary of the allocated memory buffer can lead to corruption of adjacent data structures or code. A network attack vector without requiring authentication or user interaction (AV:N/AC:L/PR:N/UI:N) indicates that the exploit can be executed remotely with low complexity.

Impact

An attacker can gain full control over the server, which includes unauthorized access to sensitive data, data modification, and the ability to cause service unavailability. High impact on confidentiality, integrity, and availability (C:H/I:H/A:H) makes this vulnerability exceptionally dangerous.

Mitigation & patch

Apache HTTP Server must be updated immediately to version 2.4.68, which contains a patch eliminating the described vulnerability. Details available on the vendor's website: https://httpd.apache.org/security/vulnerabilities_24.html

Who is affected

Apache HTTP Server in versions 2.4.0 to 2.4.67 inclusive.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache HTTP Server

    APP
    Apache
    2.4.0 – 2.4.68 (bez)
πŸ”΅
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-38475CRITICAL9.1⚠ KEVPL βœ“ten sam produkt

Apache HTTP Server mod_rewrite β€” ujawnienie kodu i RCE poprzez bΕ‚Δ™dne escapowanie

CVE-2021-42013CRITICAL9.8⚠ KEVten sam produkt

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could ...

CVE-2021-41773CRITICAL9.8⚠ KEVten sam produkt

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a ...

CVE-2021-40438CRITICAL9.0⚠ KEVten sam produkt

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remot...

CVE-2026-29167CRITICAL9.8PL βœ“ten sam produkt

Use-after-free w Apache HTTP Server z mod_ldap (CVE-2026-29167)

CVE-2026-44631 β€” Apache β€” Http Server β€” CRITICAL β€” CVSS 9.8 | CVEbaza.pl