CVE-2026-33857
Description
Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Description httpd: mod_proxy_ajp: off-by-one out-of-bounds reads in AJP getter functions Red Hat statement To exploit this issue, the Apache HTTP Server must be configured to connect to an untrusted or compromised AJP backend server, limiting its exposure. Due to this reason, this flaw has been rated with a moderate severity. This flaw only affects configurations with mod_proxy_ajp loaded andβ¦
Description
httpd: mod_proxy_ajp: off-by-one out-of-bounds reads in AJP getter functions
Red Hat statement
To exploit this issue, the Apache HTTP Server must be configured to connect to an untrusted or compromised AJP backend server, limiting its exposure. Due to this reason, this flaw has been rated with a moderate severity. This flaw only affects configurations with mod_proxy_ajp loaded and being used. This module can be disabled via the configuration file if its functionality is not being used.
CVSS v3: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat Enterprise Linux 10 | httpd-0:2.4.63-13.el10_2.1 | RHSA-2026:21433 | 2026-05-27T00:00:00Z |
| Red Hat Enterprise Linux 8 | httpd:2.4-8100020260519200905.489197e6 | RHSA-2026:22140 | 2026-06-01T00:00:00Z |
| Red Hat Enterprise Linux 9 | httpd-0:2.4.62-13.el9_8.1 | RHSA-2026:21391 | 2026-05-27T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 6 | httpd | Affected |
| Red Hat Enterprise Linux 7 | httpd | Affected |
| Red Hat Hardened Images | httpd | Affected |
| Red Hat JBoss Core Services | mod_proxy_ajp.so | Affected |
Apply commands
yum update -y httpd
# or:
dnf upgrade -y httpdAffected
| Vendor | Product | Version |
|---|---|---|
| redhat | Red Hat Enterprise Linux 6 | Affected |
| redhat | Red Hat Enterprise Linux 7 | Affected |
| redhat | Red Hat Hardened Images | Affected |
| redhat | Red Hat JBoss Core Services | Affected |
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| β | Affected | β |
Windows Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| β | Affected | β |
AlmaLinux Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | httpd-manual-2.4.62-13.el9_8.1.noarch.rpm |
| 8 | Fixed | httpd-filesystem-2.4.37-65.module_el8.10.0+4185+0955a0d7.8.noarch.rpm |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 2.4.67-1~deb13u2 |
| sid | Fixed | 2.4.67-1 |
| forky | Fixed | 2.4.67-1 |
| bullseye | Fixed | 2.4.67-1~deb11u1 |
| bookworm | Fixed | 2.4.67-1~deb12u2 |
Red Hat Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | β |
| 8 | Fixed | β |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| apache | http_server | {"endExcluding":"2.4.67"} | 2.4.67 |
References
- https://security-tracker.debian.org/tracker/CVE-2026-33857
- https://httpd.apache.org/security/vulnerabilities_24.html
- http://www.openwall.com/lists/oss-security/2026/05/04/15
- https://www.suse.com/security/cve/CVE-2026-33857.html
- https://access.redhat.com/errata/RHSA-2026:21391
- https://bugzilla.redhat.com/2464940
- https://bugzilla.redhat.com/2464952
- https://bugzilla.redhat.com/2464953
- https://bugzilla.redhat.com/2465299
- https://bugzilla.redhat.com/2466913
- https://errata.almalinux.org/9/ALSA-2026-21391.html
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33857
- https://access.redhat.com/errata/RHSA-2026:22140
- https://bugzilla.redhat.com/2379343
- https://errata.almalinux.org/8/ALSA-2026-22140.html
CWEs
CWE-125
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.