Skip to main content

Apache HTTP Server CVE-2026-34059

| EUVDEUVD-2026-26948 HIGH
Buffer Over-read (CWE-126)
2026-05-04 apache
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
SUSE
HIGH
qualitative
Red Hat
8.2 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 04, 2026 - 15:22 vuln.today
CVSS changed
May 04, 2026 - 15:22 NVD
7.5 (None) 7.5 (HIGH)
EUVD ID Assigned
May 04, 2026 - 13:00 euvd
EUVD-2026-26948
Analysis Generated
May 04, 2026 - 13:00 vuln.today
CVE Published
May 04, 2026 - 12:39 nvd
HIGH 7.5

DescriptionCVE.org

Buffer Over-read vulnerability in Apache HTTP Server.

This issue affects Apache HTTP Server: through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

AnalysisAI

Buffer over-read in Apache HTTP Server through 2.4.66 enables remote unauthenticated information disclosure at network scale. Attackers can read sensitive memory content without authentication or user interaction, achieving high confidentiality impact with low attack complexity. EPSS exploitation probability and KEV status not provided, but SSVC framework confirms the vulnerability is automatable with partial technical impact and no active exploitation detected at time of analysis. Patch released in version 2.4.67.

Technical ContextAI

This vulnerability exploits a CWE-126 buffer over-read condition in Apache HTTP Server, the world's most widely deployed web server software. A buffer over-read occurs when a program reads data beyond the boundaries of allocated memory buffers, potentially exposing sensitive information from adjacent memory regions. The affected CPE (cpe:2.3:a:apache_software_foundation:apache_http_server) encompasses all versions through 2.4.66 across all platforms. Unlike buffer overflows that enable code execution, buffer over-reads typically result in information disclosure as the application reads and potentially transmits memory contents that should remain protected. The network attack vector (AV:N) combined with low complexity (AC:L) indicates the vulnerability exists in network-facing request handling code, likely within HTTP protocol parsing, header processing, or connection management routines that are triggered during normal web server operations.

RemediationAI

Upgrade to Apache HTTP Server version 2.4.67 immediately, as confirmed by the official Apache Software Foundation advisory at https://httpd.apache.org/security/vulnerabilities_24.html. For organizations unable to upgrade immediately, implement compensating controls including: deploy a web application firewall (WAF) with strict request inspection to block malformed requests that might trigger the over-read condition, though this may impact legitimate traffic with edge-case HTTP features; restrict network access to the web server to trusted IP ranges using firewall rules where architecturally feasible, reducing attack surface but limiting public accessibility; enable comprehensive memory protection features available in modern operating systems (ASLR, stack canaries) which may reduce information leakage utility but will not prevent the vulnerability; implement request rate limiting and anomaly detection to identify potential exploitation attempts, though determined attackers can work within rate limits. Version 2.4.67 represents the definitive fix with no known side effects, making immediate patching the strongly preferred remediation path over partial mitigations.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed

Share

CVE-2026-34059 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy