Skip to main content

Apache HTTP Server EUVDEUVD-2026-35100

| CVE-2026-42536 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-06-08 apache GHSA-2p7m-6jhq-26cm
7.5
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 19:26 vuln.today
CVSS changed
Jun 08, 2026 - 19:22 NVD
7.5 (HIGH)
CVE Published
Jun 08, 2026 - 15:23 nvd
HIGH 7.5
CVE Published
Jun 08, 2026 - 15:23 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Heap-based Buffer Overflow vulnerability in Apache HTTP Server with mod_xml2enc, xml2StartParse, and untrusted content

This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.

Users are recommended to upgrade to version 2.4.68, which fixes the issue.

AnalysisAI

Denial of service in Apache HTTP Server 2.4.0 through 2.4.67 allows remote unauthenticated attackers to crash the server by submitting untrusted XML content processed by the mod_xml2enc module's xml2StartParse function. The flaw is a CWE-122 heap-based buffer overflow with a CVSS 7.5 score reflecting high availability impact only, and no public exploit has been identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Apache 2.4.x with mod_xml2enc enabled
Delivery
Send HTTP request routing through xml2enc filter
Exploit
Deliver crafted untrusted XML payload
Execution
Trigger heap overflow in xml2StartParse
Persist
Crash httpd worker process
Impact
Repeat to sustain denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires the target Apache HTTP Server (2.4.0-2.4.67) to have the mod_xml2enc module loaded and to process untrusted XML content through the xml2StartParse code path - typically meaning the server is acting as a reverse proxy or output filter for XML/XHTML responses (commonly paired with mod_proxy_html). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates a network-reachable, low-complexity, unauthenticated path with availability-only impact - i.e., a remote crash/DoS rather than code execution, despite the heap-overflow primitive class. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker sends an HTTP request that causes the Apache server to fetch or generate XML content which is then passed through the mod_xml2enc filter; the crafted XML triggers the heap overflow in xml2StartParse and crashes the worker process. Repeating the request causes sustained denial of service against the web service. …
Remediation Vendor-released patch: Apache HTTP Server 2.4.68 - upgrade from any 2.4.0-2.4.67 installation per https://httpd.apache.org/security/vulnerabilities_24.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Apache HTTP Server instances running versions 2.4.0-2.4.67 and assess network exposure; prioritize business-critical systems and public-facing services. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Affected
SUSE Linux Enterprise Module for Server Applications 15 SP7 Affected

Share

EUVD-2026-35100 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy