Skip to main content

Apache HTTP Server CVE-2026-28780

| EUVDEUVD-2026-27506 CRITICAL
Heap-based Buffer Overflow (CWE-122)
2026-05-05 apache
9.8
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 06, 2026 - 16:22 vuln.today
CVSS changed
May 06, 2026 - 16:22 NVD
9.8 (CRITICAL)

DescriptionCVE.org

Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer.

This issue affects Apache HTTP Server: through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

AnalysisAI

Remote heap buffer overflow in Apache HTTP Server's mod_proxy_ajp module allows complete system compromise when proxying to attacker-controlled AJP backends. Affects all versions through 2.4.66; attackers can achieve remote code execution by sending malicious AJP protocol responses that overflow a heap buffer with 4 controlled bytes. Apache released patch in version 2.4.67. Despite critical CVSS 9.8, EPSS probability remains very low (0.02%, 5th percentile) indicating minimal observed exploitation attempts, and no CISA KEV listing confirms active in-the-wild abuse. Exploitation requires specific proxy_ajp deployment configuration connecting to malicious AJP servers.

Technical ContextAI

The mod_proxy_ajp module implements Apache JServ Protocol (AJP) reverse proxy functionality, commonly used to connect Apache HTTP Server frontends to backend application servers like Apache Tomcat. This CWE-122 heap-based buffer overflow occurs during AJP message parsing when mod_proxy_ajp processes responses from AJP backend servers. The vulnerability allows a malicious backend to craft AJP protocol messages that trigger a 4-byte write beyond allocated heap buffer boundaries. According to CPE data, the flaw exists in all Apache HTTP Server versions from earliest releases through 2.4.66, spanning potentially decades of deployments. The heap overflow primitive, while limited to 4 bytes, provides sufficient control for memory corruption attacks that can redirect execution flow to achieve arbitrary code execution with the privileges of the Apache worker process.

RemediationAI

Immediately upgrade Apache HTTP Server to version 2.4.67 or later, which contains the complete fix per Apache Software Foundation advisory at https://httpd.apache.org/security/vulnerabilities_24.html. For environments unable to upgrade immediately, disable mod_proxy_ajp module entirely if AJP proxy functionality is not required (in httpd.conf, comment out LoadModule proxy_ajp_module). If AJP proxying is required, implement strict network controls ensuring mod_proxy_ajp connects ONLY to trusted, authenticated AJP backend servers under your administrative control - use firewall rules, VPN tunnels, or localhost-only connections to prevent exposure to potentially malicious backends. Note that disabling mod_proxy_ajp breaks AJP-dependent applications; localhost-only restriction requires backend colocation and prevents distributed architectures. Validate that security updates from OS vendors (RHEL, Ubuntu, Debian, SUSE) incorporating Apache 2.4.67 are applied when available for your distribution.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed

Share

CVE-2026-28780 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy