CVE-2026-34032
Description
Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Description httpd: mod_proxy_ajp: heap-based buffer over-read due to missing null-termination check Red Hat statement To exploit this issue, the Apache HTTP Server must be configured to connect to an untrusted or compromised AJP backend server, limiting its exposure. Due to this reason, this flaw has been rated with a moderate severity. This flaw only affects configurations with mod_proxy_ajpโฆ
Description
httpd: mod_proxy_ajp: heap-based buffer over-read due to missing null-termination check
Red Hat statement
To exploit this issue, the Apache HTTP Server must be configured to connect to an untrusted or compromised AJP backend server, limiting its exposure. Due to this reason, this flaw has been rated with a moderate severity. This flaw only affects configurations with mod_proxy_ajp loaded and being used. This module can be disabled via the configuration file if its functionality is not being used.
CVSS v3: 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat Enterprise Linux 10 | httpd-0:2.4.63-13.el10_2.1 | RHSA-2026:21433 | 2026-05-27T00:00:00Z |
| Red Hat Enterprise Linux 9 | httpd-0:2.4.62-13.el9_8.1 | RHSA-2026:21391 | 2026-05-27T00:00:00Z |
| Red Hat Hardened Images | httpd-main-2.4.67-0.1.hum1 | RHSA-2026:13938 | 2026-05-06T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 6 | httpd | Affected |
| Red Hat Enterprise Linux 7 | httpd | Affected |
| Red Hat Enterprise Linux 8 | httpd:2.4/httpd | Affected |
| Red Hat JBoss Core Services | mod_proxy_ajp.so | Affected |
Apply commands
yum update -y httpd
# or:
dnf upgrade -y httpdAffected
| Vendor | Product | Version |
|---|---|---|
| redhat | Red Hat Enterprise Linux 6 | Affected |
| redhat | Red Hat Enterprise Linux 7 | Affected |
| redhat | Red Hat Enterprise Linux 8 | Affected |
| redhat | Red Hat JBoss Core Services | Affected |
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Windows Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
AlmaLinux Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | httpd-manual-2.4.62-13.el9_8.1.noarch.rpm |
| 8 | Fixed | httpd-filesystem-2.4.37-65.module_el8.10.0+4185+0955a0d7.8.noarch.rpm |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 2.4.67-1~deb13u2 |
| sid | Fixed | 2.4.67-1 |
| forky | Fixed | 2.4.67-1 |
| bullseye | Fixed | 2.4.67-1~deb11u1 |
| bookworm | Fixed | 2.4.67-1~deb12u2 |
Red Hat Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | โ |
| 8 | Fixed | โ |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| apache | http_server | {"endExcluding":"2.4.67"} | 2.4.67 |
References
- https://security-tracker.debian.org/tracker/CVE-2026-34032
- https://httpd.apache.org/security/vulnerabilities_24.html
- http://www.openwall.com/lists/oss-security/2026/05/04/16
- https://www.suse.com/security/cve/CVE-2026-34032.html
- https://access.redhat.com/errata/RHSA-2026:21391
- https://bugzilla.redhat.com/2464940
- https://bugzilla.redhat.com/2464952
- https://bugzilla.redhat.com/2464953
- https://bugzilla.redhat.com/2465299
- https://bugzilla.redhat.com/2466913
- https://errata.almalinux.org/9/ALSA-2026-21391.html
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34032
- https://access.redhat.com/errata/RHSA-2026:22140
- https://bugzilla.redhat.com/2379343
- https://errata.almalinux.org/8/ALSA-2026-22140.html
CWEs
CWE-125 CWE-170
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.