CVE-2026-28780
Description
Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Description Apache HTTP Server: mod_proxy_ajp: Apache HTTP Server mod_proxy_ajp: Arbitrary code execution via heap-based buffer overflow CVSS v3: 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) Errata / fixed releases ProductPackageAdvisoryReleased Red Hat Enterprise Linux 10httpd-0:2.4.63-13.el10_2.1RHSA-2026:214332026-05-27T00:00:00Z Red Hat Enterprise Linuxβ¦
Description
Apache HTTP Server: mod_proxy_ajp: Apache HTTP Server mod_proxy_ajp: Arbitrary code execution via heap-based buffer overflow
CVSS v3: 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat Enterprise Linux 10 | httpd-0:2.4.63-13.el10_2.1 | RHSA-2026:21433 | 2026-05-27T00:00:00Z |
| Red Hat Enterprise Linux 9 | httpd-0:2.4.62-13.el9_8.1 | RHSA-2026:21391 | 2026-05-27T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 6 | httpd | Affected |
| Red Hat Enterprise Linux 7 | httpd | Affected |
| Red Hat Enterprise Linux 8 | httpd:2.4/httpd | Affected |
| Red Hat JBoss Core Services | httpd | Affected |
| Red Hat JBoss Core Services | jbcs-httpd24-httpd | Affected |
Apply commands
yum update -y httpd
# or:
dnf upgrade -y httpdAffected
| Vendor | Product | Version |
|---|---|---|
| redhat | Red Hat Enterprise Linux 6 | Affected |
| redhat | Red Hat Enterprise Linux 7 | Affected |
| redhat | Red Hat Enterprise Linux 8 | Affected |
| redhat | Red Hat JBoss Core Services | Affected |
| redhat | Red Hat JBoss Core Services | Affected |
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| β | Affected | β |
AlmaLinux Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | httpd-manual-2.4.62-13.el9_8.1.noarch.rpm |
| 8 | Fixed | httpd-filesystem-2.4.37-65.module_el8.10.0+4185+0955a0d7.8.noarch.rpm |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 2.4.67-1~deb13u2 |
| sid | Fixed | 2.4.67-1 |
| forky | Fixed | 2.4.67-1 |
| bullseye | Fixed | 2.4.67-1~deb11u1 |
| bookworm | Fixed | 2.4.67-1~deb12u2 |
Red Hat Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | β |
| 8 | Fixed | β |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| apache | http_server | {"endExcluding":"2.4.67"} | 2.4.67 |
References
- https://security-tracker.debian.org/tracker/CVE-2026-28780
- https://httpd.apache.org/security/vulnerabilities_24.html
- http://www.openwall.com/lists/oss-security/2026/05/05/9
- https://www.suse.com/security/cve/CVE-2026-28780.html
- https://access.redhat.com/errata/RHSA-2026:21391
- https://bugzilla.redhat.com/2464940
- https://bugzilla.redhat.com/2464952
- https://bugzilla.redhat.com/2464953
- https://bugzilla.redhat.com/2465299
- https://bugzilla.redhat.com/2466913
- https://errata.almalinux.org/9/ALSA-2026-21391.html
- https://access.redhat.com/errata/RHSA-2026:22140
- https://bugzilla.redhat.com/2379343
- https://errata.almalinux.org/8/ALSA-2026-22140.html
CWEs
CWE-122
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.