The Apache Software Foundation released Apache HTTP Server version 2.4.68 on June 8, 2026, addressing 13 security vulnerabilities spanning multiple modules.
The patched flaws include use-after-free conditions, cross-site scripting, heap-based buffer overflows, denial-of-service, privilege escalation, and out-of-bounds read issues affecting all versions from 2.4.0 through 2.4.67.
Administrators running any prior release are strongly urged to upgrade immediately.
Apache HTTP Server 2.4.68
Use-After-Free (UAF) Flaws
Two use-after-free vulnerabilities were patched in this release. CVE-2026-29167 affects mod_ldap in per-directory configurations, where a dangling pointer can be triggered across versions 2.4.0–2.4.67, discovered by Pavel Kohout of Aisle Research.
The second, CVE-2026-48913, impacts the mod_http2 module when file handles are already exhausted — affecting the narrower range of 2.4.55–2.4.67 — and was reported by Sam Lovejoy of IBM X-Force Offensive Research (XOR).
Cross-Site Scripting (XSS)
CVE-2026-29170 describes an XSS flaw in mod_proxy_ftp‘s HTML directory listing generation. When Apache proxies FTP directory contents — either via forward or reverse proxy — unsanitized output can allow script injection. This low-severity issue affects all versions through 2.4.67 and was also discovered by Pavel Kohout of Aisle Research.
Buffer Overflow and Memory Corruption
Four buffer overflow vulnerabilities were remediated:
- CVE-2026-34355 (moderate) — A buffer overflow in
mod_proxy_htmlexploitable by an untrusted backend server, found by Elhanan Haenel and Junhui Lee - CVE-2026-34356 (low) — A heap-based overflow in
ProxyPassReverseCookieMaptriggered via malicious backend servers, discovered by Arkadi Vainbrand and depthfirst - CVE-2026-42536 (low) — A heap overflow in
mod_xml2encviaxml2StartParsewith untrusted content, reported by Zhenpeng (Leo) Lin of depthfirst - CVE-2026-44631 (low) — A heap underwrite in
ap_regnamecaused by signed char overflow in crafted regex configurations, found by Lin and Bartlomiej Dmitruk
Denial of Service
Two DoS vulnerabilities were fixed. CVE-2026-49975 (moderate) allows memory allocation exhaustion in mod_http2 via malicious HTTP/2 requests, affecting versions 2.4.17–2.4.67, discovered by Quang Luong of Calif.IO in collaboration with OpenAI Codex. CVE-2026-44186 (moderate) triggers an infinite loop in mod_proxy_ftp‘s handler via an attacker-controlled backend FTP server.
Other Notable Fixes
- CVE-2026-43951 (moderate) — An out-of-bounds read in
merge_response_headerswhenmod_headersandmod_mimehandle multiple response languages, causing child process crashes - CVE-2026-42535 (moderate) — A path handling flaw in
mod_dav_fsallowing WebDAV authors to manipulate trusted DAV property databases - CVE-2026-44185 (low) — A stack buffer over-read in
mod_ssl‘s OCSPsend_requestvia attacker-controlled OCSP servers - CVE-2026-44119 (moderate) — A privilege escalation flaw allowing local
.htaccessauthors to read files withhttpduser privileges, reported by 10 independent researchers
| CVE | Module | Severity | Type |
|---|---|---|---|
| CVE-2026-29167 | mod_ldap | Low | Use-After-Free |
| CVE-2026-29170 | mod_proxy_ftp | Low | XSS |
| CVE-2026-34355 | mod_proxy_html | Moderate | Buffer Overflow |
| CVE-2026-34356 | ProxyPassReverseCookieMap | Low | Heap Overflow |
| CVE-2026-42535 | mod_dav_fs | Moderate | Path Handling |
| CVE-2026-42536 | mod_xml2enc | Low | Heap Overflow |
| CVE-2026-43951 | mod_headers/mod_mime | Moderate | OOB Read |
| CVE-2026-44119 | .htaccess expressions | Moderate | Privilege Escalation |
| CVE-2026-44185 | mod_ssl OCSP | Low | Buffer Over-Read |
| CVE-2026-44186 | mod_proxy_ftp | Moderate | DoS (Infinite Loop) |
| CVE-2026-44631 | ap_regname | Low | Heap Underwrite |
| CVE-2026-48913 | mod_http2 | Low | Use-After-Free |
| CVE-2026-49975 | mod_http2 | Moderate | DoS |
The Apache Software Foundation recommends all users upgrade to Apache HTTP Server 2.4.68 immediately. No workarounds are available for most of these vulnerabilities. The updated release is available via the official Apache download page.