Skip to main content

Apache HTTP Server CVE-2026-33857

| EUVDEUVD-2026-26951 MEDIUM
Out-of-bounds Read (CWE-125)
2026-05-04 apache
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
7.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 04, 2026 - 16:30 vuln.today
CVSS changed
May 04, 2026 - 14:22 NVD
5.3 (MEDIUM)
EUVD ID Assigned
May 04, 2026 - 13:45 euvd
EUVD-2026-26951
Analysis Generated
May 04, 2026 - 13:45 vuln.today
CVE Published
May 04, 2026 - 13:07 nvd
MEDIUM 5.3

DescriptionCVE.org

Out-of-bounds Read vulnerability in mod_proxy_ajp of

Apache HTTP Server.

This issue affects Apache HTTP Server: through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

AnalysisAI

Out-of-bounds read in mod_proxy_ajp of Apache HTTP Server through version 2.4.66 allows remote unauthenticated attackers to disclose sensitive information via a crafted AJP protocol request. The vulnerability has a CVSS score of 5.3 (moderate) with no active exploitation confirmed. Upgrade to version 2.4.67 to remediate.

Technical ContextAI

The vulnerability exists in mod_proxy_ajp, Apache's module for proxying requests to application servers using the AJP (Apache JServ Protocol) network protocol. An out-of-bounds read (CWE-125) occurs when the module processes AJP messages without proper bounds checking, allowing attackers to read adjacent memory regions and leak confidential data. The AJP protocol is commonly used in Java application deployments where requests are forwarded from Apache HTTP Server frontends to backend Tomcat or other AJP-compatible application servers. The affected CPE string indicates the vulnerability affects all Apache HTTP Server installations from version 0 through 2.4.66 where mod_proxy_ajp is loaded.

RemediationAI

Upgrade Apache HTTP Server to version 2.4.67 or later, which includes the fix for the out-of-bounds read in mod_proxy_ajp. If immediate patching is not possible, disable the mod_proxy_ajp module using 'a2dismod proxy_ajp' (on Debian/Ubuntu systems) or by commenting out the LoadModule directive in httpd.conf on other distributions - this eliminates the attack surface but will break AJP-based proxying functionality until the module is re-enabled after patching. Organizations using mod_proxy_ajp should verify their application server setup does not depend on this module before disabling it. Consult https://httpd.apache.org/security/vulnerabilities_24.html for complete patching guidance and additional details.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed

Share

CVE-2026-33857 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy