Skip to main content

Apache HTTP Server EUVDEUVD-2026-35088

| CVE-2026-44186 HIGH
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-06-08 apache GHSA-6cr8-qx2w-7743
7.3
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
SUSE
MEDIUM
qualitative

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Jun 09, 2026 - 14:22 vuln.today
CVSS changed
Jun 09, 2026 - 14:22 NVD
7.3 (HIGH)
CVE Published
Jun 08, 2026 - 15:11 nvd
HIGH 7.3
CVE Published
Jun 08, 2026 - 15:11 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in the mod_proxy_ftp module in Apache HTTP Server with an attacker controlled backend FTP server.

This issue affects undefined: from 2.4.0 through 2.4.67.

Users are recommended to upgrade to version 2.4.68, which fixes the issue.

AnalysisAI

Denial of service in Apache HTTP Server versions 2.4.0 through 2.4.67 stems from an infinite loop condition in the mod_proxy_ftp module when interacting with an attacker-controlled backend FTP server. Remote attackers can degrade availability and partially impact confidentiality and integrity without authentication, though exploitation requires a proxied request path to a malicious FTP backend. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify Apache server with mod_proxy_ftp enabled
Delivery
Cause proxy to connect to attacker FTP backend
Exploit
Return crafted FTP response
Install
Trigger infinite loop in mod_proxy_ftp parser
C2
Pin httpd worker thread
Execute
Repeat to exhaust worker pool
Impact
Deny service to legitimate clients

Vulnerability AssessmentAI

Exploitation The target Apache HTTP Server must have the mod_proxy_ftp module loaded and configured to proxy requests to an FTP backend that the attacker controls or can influence (for example, via an open ProxyPass/ProxyPassMatch rule that accepts attacker-supplied FTP URLs, or by being the operator of an FTP server that the proxy is configured to contact). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L yields 7.3 (High) - network reachable, low complexity, no privileges, no user interaction, with low impact across CIA. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a public-facing Apache HTTP Server deployment that proxies HTTP requests to FTP backends via mod_proxy_ftp, either coercing a request to a malicious FTP server they control or hosting the FTP endpoint already referenced by the proxy configuration. By returning crafted FTP responses that never satisfy mod_proxy_ftp's parser exit condition, the attacker pins an httpd worker into an infinite loop, and repeats the request to exhaust the MPM worker pool and render the server unresponsive. …
Remediation Vendor-released patch: Apache HTTP Server 2.4.68 - upgrade from any 2.4.0-2.4.67 release per the Apache advisory at https://httpd.apache.org/security/vulnerabilities_24.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory Apache deployments and identify instances with mod_proxy_ftp enabled; disable the module immediately if FTP proxying is not business-critical; implement per-proxy connection timeout limits (recommended 30-60 seconds). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Affected
SUSE Linux Enterprise Module for Server Applications 15 SP7 Affected

Share

EUVD-2026-35088 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy