Skip to main content

Apache HTTP Server EUVDEUVD-2026-35089

| CVE-2026-34356 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-06-08 apache GHSA-9gq3-xc6j-h3g5
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
5.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 19:26 vuln.today
CVSS changed
Jun 08, 2026 - 19:22 NVD
7.5 (HIGH)
CVE Published
Jun 08, 2026 - 15:12 nvd
HIGH 7.5
CVE Published
Jun 08, 2026 - 15:12 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Heap-based Buffer Overflow vulnerability in Apache HTTP Server with malicious backend servers and ProxyPassReverseCookie*

This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.

Users are recommended to upgrade to version 2.4.68, which fixes the issue.

AnalysisAI

Denial of service in Apache HTTP Server versions 2.4.0 through 2.4.67 stems from a heap-based buffer overflow triggered when the server processes responses from a malicious backend while ProxyPassReverseCookieDomain or ProxyPassReverseCookiePath directives are in use. Remote attackers controlling or compromising an upstream backend can crash the front-end Apache process, impacting availability of the reverse proxy without affecting confidentiality or integrity. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Compromise or stand up malicious backend
Delivery
Wait for proxy to forward client request
Exploit
Return crafted Set-Cookie response
Execution
Trigger heap overflow in ProxyPassReverseCookie rewrite
Persist
Crash Apache worker process
Impact
Sustain denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Apache HTTP Server (2.4.0 through 2.4.67) be deployed as a reverse proxy with mod_proxy loaded and at least one ProxyPassReverseCookieDomain or ProxyPassReverseCookiePath directive configured, and that the attacker control or have compromised a backend origin server that the proxy forwards requests to, since the malicious input is a crafted Set-Cookie response header from upstream. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H yields 7.5 and accurately reflects an availability-only network-reachable bug with no authentication or user interaction, but the practical attack surface is narrower than the raw score suggests because exploitation depends on the proxy talking to an attacker-influenced backend, not arbitrary internet clients. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls or compromises a backend origin server that an Apache reverse proxy forwards traffic to returns an HTTP response containing a crafted Set-Cookie header; when Apache applies its ProxyPassReverseCookieDomain or ProxyPassReverseCookiePath rewriting, the heap-based buffer overflow is triggered and the worker process crashes, denying service to all clients of that proxy. Repeated triggering keeps the front end in a crash-restart loop. …
Remediation Vendor-released patch: upgrade to Apache HTTP Server 2.4.68, which the Apache Software Foundation identifies as the fix release on https://httpd.apache.org/security/vulnerabilities_24.html, and rebuild or update distro packages once 2.4.68-based builds are available. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all Apache HTTP Server instances running versions 2.4.0-2.4.67 configured with ProxyPassReverseCookieDomain or ProxyPassReverseCookiePath directives and classify by business criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Affected
SUSE Linux Enterprise Module for Server Applications 15 SP7 Affected

Share

EUVD-2026-35089 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy