Skip to main content

Apache HTTP Server EUVDEUVD-2026-27321

| CVE-2026-29168 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-05 apache
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
SUSE
HIGH
qualitative
Red Hat
7.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 05, 2026 - 16:30 vuln.today
CVSS changed
May 05, 2026 - 16:22 NVD
7.3 (HIGH)

DescriptionCVE.org

Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md via OCSP response data.

This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

AnalysisAI

Uncontrolled resource consumption in Apache HTTP Server's mod_md module allows remote unauthenticated attackers to exhaust server resources via malformed OCSP response data, affecting versions 2.4.30 through 2.4.66. The vulnerability enables attackers to achieve confidentiality, integrity, and availability impacts with low complexity exploitation over the network. No active exploitation confirmed (not in CISA KEV), but the network-accessible attack surface and lack of authentication requirement make this a credible threat requiring prompt patching to version 2.4.67.

Technical ContextAI

The vulnerability resides in mod_md (Managed Domains), an Apache HTTP Server module that automates certificate management via ACME protocol. The flaw is a CWE-770 (Allocation of Resources Without Limits or Throttling) issue in handling OCSP (Online Certificate Status Protocol) response data. OCSP is used for real-time certificate revocation checking. Without proper resource limits, an attacker can send crafted OCSP responses that cause unbounded memory allocation or processing cycles. The affected CPE (cpe:2.3:a:apache_software_foundation:apache_http_server) confirms this impacts the core Apache httpd product across a wide version range spanning nearly 9 years of releases (2.4.30-2.4.66).

RemediationAI

Upgrade to Apache HTTP Server 2.4.67, which contains the complete fix for this resource allocation vulnerability. The official vendor advisory at https://httpd.apache.org/security/vulnerabilities_24.html provides download links and upgrade instructions. For environments where immediate patching is not feasible, disable the mod_md module entirely if ACME-based certificate automation is not required (using 'a2dismod md' on Debian-based systems or commenting out LoadModule directives). This workaround eliminates the attack surface but requires reverting to manual certificate management workflows, including manual renewals and OCSP stapling configuration. Alternatively, implement web application firewall rules to inspect and rate-limit OCSP-related traffic to mod_md endpoints, though this provides incomplete protection against sophisticated resource exhaustion attacks. Monitor server memory usage and configure resource limits (ulimit, cgroups) as defense-in-depth, recognizing these may only slow exploitation rather than prevent it.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed

Share

EUVD-2026-27321 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy