Skip to main content

Apache HTTP Server EUVDEUVD-2026-26957

| CVE-2026-29169 HIGH
NULL Pointer Dereference (CWE-476)
2026-05-04 apache
High
Disputed · 7.5 NVD
Share

Severity by source

Sources disagree (Low–High)
NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 04, 2026 - 17:22 vuln.today
CVSS changed
May 04, 2026 - 17:22 NVD
7.5 (None) 7.5 (HIGH)
EUVD ID Assigned
May 04, 2026 - 15:00 euvd
EUVD-2026-26957
Analysis Generated
May 04, 2026 - 15:00 vuln.today
CVE Published
May 04, 2026 - 14:48 nvd
HIGH 7.5

DescriptionCVE.org

A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs.

The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0.

Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock.

AnalysisAI

Remote attackers can crash Apache HTTP Server 2.4.66 and earlier by sending malicious requests that trigger a NULL pointer dereference in mod_dav_lock, causing denial of service. The vulnerability affects only servers with mod_dav_lock enabled, a legacy module whose primary use-case (Apache Subversion < 1.2.0) is obsolete in modern deployments. CISA SSVC indicates no active exploitation, but the attack is automatable against susceptible configurations. CVSS 7.5 (High) reflects network-accessible, unauthenticated denial of service, though real-world impact is limited to the small subset of servers still running mod_dav_lock.

Technical ContextAI

The vulnerability exists in mod_dav_lock, a locking provider module for WebDAV (Web Distributed Authoring and Versioning) in Apache HTTP Server. CWE-476 (NULL Pointer Dereference) occurs when the module attempts to access memory through a null pointer while processing specially crafted requests, causing the server process to crash. mod_dav_lock is distinct from the core mod_dav and mod_dav_fs modules, which do not use it internally. The module's original purpose was to support mod_dav_svn from Apache Subversion versions before 1.2.0 (released in 2005), making it largely obsolete in current infrastructure. CPE data identifies the affected product as Apache HTTP Server through version 2.4.66.

RemediationAI

Upgrade to Apache HTTP Server version 2.4.66 or later, which contains the fix for this NULL pointer dereference. For organizations unable to upgrade immediately, disable and remove mod_dav_lock from the Apache configuration by commenting out or removing the LoadModule directive for mod_dav_lock from httpd.conf or applicable configuration files, then restarting Apache. This mitigation has no functional impact on modern deployments since mod_dav_lock's use-case (Subversion < 1.2.0) is obsolete. Verify module removal by checking loaded modules with 'httpd -M' or 'apachectl -M' to confirm mod_dav_lock is not listed. Consult the official Apache security advisory at https://httpd.apache.org/security/vulnerabilities_24.html for additional guidance.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed

Share

EUVD-2026-26957 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy