{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34356", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-27T11:47:04.086Z", "datePublished": "2026-06-08T15:12:21.415Z", "dateUpdated": "2026-06-08T22:32:24.906Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache HTTP Server", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.4.67", "status": "affected", "version": "2.4.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Arkadi Vainbrand"}, {"lang": "en", "type": "finder", "value": "depthfirst (depthfirst.com)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Heap-based Buffer Overflow vulnerability in Apache HTTP Server with malicious backend servers and ProxyPassReverseCookie*</p><p>This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.</p><p>Users are recommended to upgrade to version 2.4.68, which fixes the issue.</p>"}], "value": "Heap-based Buffer Overflow vulnerability in Apache HTTP Server with malicious backend servers and ProxyPassReverseCookie*\n\nThis issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.\n\nUsers are recommended to upgrade to version 2.4.68, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "description": "CWE-122 Heap-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-06-08T15:12:21.415Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2026-02-23T12:00:00.000Z", "value": "reported"}, {"lang": "en", "time": "2026-06-05T12:00:00.000Z", "value": "fixed in 2.4.x by r1935008"}, {"lang": "eng", "time": "2026-06-08T12:00:00.000Z", "value": "2.4.68 released"}], "title": "Apache HTTP Server: ProxyPassReverseCookieMap buffer overflow", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-06-08T18:14:26.078879Z", "id": "CVE-2026-34356", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-08T18:17:13.913Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/06/08/7"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-06-08T22:32:24.906Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/06/08/7"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-06-08T22:32:24.906Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-34356", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-08T18:14:26.078879Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-08T18:17:08.481Z"}}], "cna": {"title": "Apache HTTP Server: ProxyPassReverseCookieMap buffer overflow", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Arkadi Vainbrand"}, {"lang": "en", "type": "finder", "value": "depthfirst (depthfirst.com)"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache HTTP Server", "versions": [{"status": "affected", "version": "2.4.0", "versionType": "semver", "lessThanOrEqual": "2.4.67"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-23T12:00:00.000Z", "value": "reported"}, {"lang": "en", "time": "2026-06-05T12:00:00.000Z", "value": "fixed in 2.4.x by r1935008"}, {"lang": "eng", "time": "2026-06-08T12:00:00.000Z", "value": "2.4.68 released"}], "references": [{"url": "https://httpd.apache.org/security/vulnerabilities_24.html", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Heap-based Buffer Overflow vulnerability in Apache HTTP Server with malicious backend servers and ProxyPassReverseCookie*\n\nThis issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.\n\nUsers are recommended to upgrade to version 2.4.68, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Heap-based Buffer Overflow vulnerability in Apache HTTP Server with malicious backend servers and ProxyPassReverseCookie*</p><p>This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.</p><p>Users are recommended to upgrade to version 2.4.68, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "CWE-122 Heap-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-06-08T15:12:21.415Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34356", "state": "PUBLISHED", "dateUpdated": "2026-06-08T22:32:24.906Z", "dateReserved": "2026-03-27T11:47:04.086Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-06-08T15:12:21.415Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "03F07E89-F9BF-4913-8250-F79447AA6EBD", "versionEndExcluding": "2.4.68", "versionStartIncluding": "2.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Heap-based Buffer Overflow vulnerability in Apache HTTP Server with malicious backend servers and ProxyPassReverseCookie*\n\nThis issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.\n\nUsers are recommended to upgrade to version 2.4.68, which fixes the issue."}], "id": "CVE-2026-34356", "lastModified": "2026-06-09T16:17:19.160", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-06-08T16:16:38.537", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2026/06/08/7"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "httpd: Apache HTTP Server: Heap-based Buffer Overflow via malicious backend servers", "id": "2486395", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2486395"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-120", "details": ["Heap-based Buffer Overflow vulnerability in Apache HTTP Server with malicious backend servers and ProxyPassReverseCookie*\nThis issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.\nUsers are recommended to upgrade to version 2.4.68, which fixes the issue.", "A flaw was found in Apache HTTP Server. This heap-based buffer overflow vulnerability can be exploited by a malicious backend server when using ProxyPassReverseCookie* directives. This could lead to a denial of service (DoS) condition, making the server unavailable to legitimate users."], "mitigation": {"lang": "en:us", "value": "To prevent this denial-of-service flaw, ensure your Apache proxy rules only connect to highly trusted backend servers. If you must proxy traffic to unverified or external backends, disable the cookie-rewriting features.\nSteps to Mitigate:\nOpen your Apache configuration file (e.g., /etc/httpd/conf/httpd.conf).\nLocate and comment out any ProxyPassReverseCookieDomain or ProxyPassReverseCookiePath lines pointing to untrusted backends by adding a # at the start of the line.\nTest your syntax: apachectl configtest\nApply changes gracefully: systemctl reload httpd\nNote: This may cause a brief service interruption."}, "name": "CVE-2026-34356", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "httpd", "product_name": "Red Hat Hardened Images"}], "public_date": "2026-06-08T15:12:21Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34356\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34356\nhttps://httpd.apache.org/security/vulnerabilities_24.html"], "statement": "This flaw in Apache could allow a malicious backend server to crash your web server, making it unavailable to users. Your system is only at risk if you use Apache to forward traffic to untrusted or unverified backend systems.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.4.0,2.4.67]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache HTTP Server", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "apache_http_server", "vendor": "apache"}], "created": "2026-06-08T16:30:06.157503+00:00", "updated": "2026-06-19T02:00:10.236603+00:00", "vendors": ["apache", "apache$PRODUCT$apache_http_server"]}