CRITICAL🇵🇱 Wersja polska

CVE-2026-28780

CVSS 9.8v3.1pub. 2026-05-05upd. 2026-06-30

Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

🤖 AI Analysis
How it works

The mod_proxy_ajp module establishes a connection with an AJP backend. If the backend is malicious or has been compromised by an attacker, it can send a crafted AJP message. In response to such a message, mod_proxy_ajp writes 4 bytes controlled by the attacker beyond the end of the buffer allocated on the heap (heap-based buffer overflow, CWE-122). The error results from the lack of proper boundary verification during AJP response processing.

Impact

An attacker controlling an AJP server connected to the vulnerable mod_proxy_ajp can cause memory corruption, potentially resulting in arbitrary code execution (RCE), privilege escalation, or HTTP server process crash.

Mitigation & patch

Apache HTTP Server should be updated to version 2.4.67 or later, which contains a patch eliminating the vulnerability. Details available at: https://httpd.apache.org/security/vulnerabilities_24.html

Who is affected

Apache HTTP Server in versions up to and including 2.4.66, when the mod_proxy_ajp module is configured.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache HTTP Server

    APP
    Apache
    < 2.4.67
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Memory
CWE
References

Related vulnerabilities

CVE-2024-38475CRITICAL9.1⚠ KEVPL ✓ten sam produkt

Apache HTTP Server mod_rewrite — ujawnienie kodu i RCE poprzez błędne escapowanie

CVE-2021-42013CRITICAL9.8⚠ KEVten sam produkt

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could ...

CVE-2021-41773CRITICAL9.8⚠ KEVten sam produkt

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a ...

CVE-2021-40438CRITICAL9.0⚠ KEVten sam produkt

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remot...

CVE-2026-29167CRITICAL9.8PL ✓ten sam produkt

Use-after-free w Apache HTTP Server z mod_ldap (CVE-2026-29167)