Skip to main content

Apache HTTP Server CVE-2026-34032

| EUVDEUVD-2026-26953 MEDIUM
Improper Null Termination (CWE-170)
2026-05-04 apache
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
8.2 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 04, 2026 - 16:30 vuln.today
CVSS changed
May 04, 2026 - 14:22 NVD
5.3 (MEDIUM)
EUVD ID Assigned
May 04, 2026 - 13:45 euvd
EUVD-2026-26953
Analysis Generated
May 04, 2026 - 13:45 vuln.today
CVE Published
May 04, 2026 - 12:54 nvd
MEDIUM 5.3

DescriptionCVE.org

Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server.

This issue affects Apache HTTP Server: through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

AnalysisAI

Improper null termination and out-of-bounds read vulnerability in Apache HTTP Server through version 2.4.66 allows remote unauthenticated attackers to trigger information disclosure with low complexity exploitation. The vulnerability has a CVSS score of 5.3 (medium) with network-accessible attack vector and no user interaction required, though technical impact is limited to confidentiality (partial information disclosure). Vendor-released patch: version 2.4.67 addresses the issue.

Technical ContextAI

The vulnerability exists in Apache HTTP Server's memory handling routines where improper null termination of string data combined with an out-of-bounds read condition (CWE-170) allows attackers to read adjacent memory regions. This is a classic buffer handling flaw where a missing null terminator or incorrect bounds checking in string operations permits an attacker to access memory beyond the intended allocation. The affected CPE cpe:2.3:a:apache_software_foundation:apache_http_server:*:*:*:*:*:*:*:* covers all variants and configurations of the Apache HTTP Server product line through 2.4.66.

RemediationAI

Upgrade Apache HTTP Server to version 2.4.67 or later immediately. Users unable to upgrade immediately should apply the fix from the Apache security advisories at https://httpd.apache.org/security/vulnerabilities_24.html. No workarounds to prevent the memory read are documented; compensating controls are limited to network-level mitigations such as restricting access to the server via firewall rules to trusted clients only, reducing the attack surface if the vulnerability is leveraged for reconnaissance. However, network restriction alone does not fix the underlying flaw and should be considered temporary only. Apply the patch at the earliest maintenance window to completely remediate the issue.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed

Share

CVE-2026-34032 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy