The Apache Software Foundation released Apache HTTP Server version 2.4.68 on June 8, 2026, addressing 13 security vulnerabilities spanning multiple modules.
The patched flaws include use-after-free conditions, cross-site scripting, heap-based buffer overflows, denial-of-service, privilege escalation, and out-of-bounds read issues affecting all versions from 2.4.0 through 2.4.67.
Administrators running any prior release are strongly urged to upgrade immediately.
Apache HTTP Server 2.4.68
Use-After-Free (UAF) Flaws
Two use-after-free vulnerabilities were patched in this release. CVE-2026-29167 affects mod_ldap in per-directory configurations, where a dangling pointer can be triggered across versions 2.4.0–2.4.67, discovered by Pavel Kohout of Aisle Research.
The second, CVE-2026-48913, impacts the mod_http2 module when file handles are already exhausted — affecting the narrower range of 2.4.55–2.4.67 — and was reported by Sam Lovejoy of IBM X-Force Offensive Research (XOR).
Cross-Site Scripting (XSS)
CVE-2026-29170 describes an XSS flaw in mod_proxy_ftp‘s HTML directory listing generation. When Apache proxies FTP directory contents — either via forward or reverse proxy — unsanitized output can allow script injection. This low-severity issue affects all versions through 2.4.67 and was also discovered by Pavel Kohout of Aisle Research.
Buffer Overflow and Memory Corruption
Four buffer overflow vulnerabilities were remediated:
CVE-2026-34355 (moderate) — A buffer overflow in mod_proxy_html exploitable by an untrusted backend server, found by Elhanan Haenel and Junhui Lee
CVE-2026-34356 (low) — A heap-based overflow in ProxyPassReverseCookieMap triggered via malicious backend servers, discovered by Arkadi Vainbrand and depthfirst
CVE-2026-42536 (low) — A heap overflow in mod_xml2enc via xml2StartParse with untrusted content, reported by Zhenpeng (Leo) Lin of depthfirst
CVE-2026-44631 (low) — A heap underwrite in ap_regname caused by signed char overflow in crafted regex configurations, found by Lin and Bartlomiej Dmitruk
Denial of Service
Two DoS vulnerabilities were fixed. CVE-2026-49975 (moderate) allows memory allocation exhaustion in mod_http2 via malicious HTTP/2 requests, affecting versions 2.4.17–2.4.67, discovered by Quang Luong of Calif.IO in collaboration with OpenAI Codex. CVE-2026-44186 (moderate) triggers an infinite loop in mod_proxy_ftp‘s handler via an attacker-controlled backend FTP server.
Other Notable Fixes
CVE-2026-43951 (moderate) — An out-of-bounds read in merge_response_headers when mod_headers and mod_mime handle multiple response languages, causing child process crashes
CVE-2026-42535 (moderate) — A path handling flaw in mod_dav_fs allowing WebDAV authors to manipulate trusted DAV property databases
CVE-2026-44185 (low) — A stack buffer over-read in mod_ssl‘s OCSP send_request via attacker-controlled OCSP servers
CVE-2026-44119 (moderate) — A privilege escalation flaw allowing local .htaccess authors to read files with httpd user privileges, reported by 10 independent researchers
CVEModuleSeverityTypeCVE-2026-29167mod_ldapLowUse-After-FreeCVE-2026-29170mod_proxy_ftpLowXSSCVE-2026-34355mod_proxy_htmlModerateBuffer OverflowCVE-2026-34356ProxyPassReverseCookieMapLowHeap OverflowCVE-2026-42535mod_dav_fsModeratePath HandlingCVE-2026-42536mod_xml2encLowHeap OverflowCVE-2026-43951mod_headers/mod_mimeModerateOOB ReadCVE-2026-44119.htaccess expressionsModeratePrivilege EscalationCVE-2026-44185mod_ssl OCSPLowBuffer Over-ReadCVE-2026-44186mod_proxy_ftpModerateDoS (Infinite Loop)CVE-2026-44631ap_regnameLowHeap UnderwriteCVE-2026-48913mod_http2LowUse-After-FreeCVE-2026-49975mod_http2ModerateDoS
The Apache Software Foundation recommends all users upgrade to Apache HTTP Server 2.4.68 immediately. No workarounds are available for most of these vulnerabilities. The updated release is available via the official Apache download page.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post Apache HTTP Server 2.4.68 Released With Fix For Use-After-Free, DoS, XSS, and Buffer Overflow Flaws appeared first on Cyber Security News.
