Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.2
Apache HTTP Server: mod_proxy_ajp security update
RLSA-2026:21391
Summary
Apache HTTP Server's mod_proxy_ajp module has several security issues that could allow hackers to access or crash your server, potentially leading to data breaches or server downtime. It's recommended to update to the latest version to fix these issues and keep your server secure.
What to do
- Update httpd to version 0:2.4.62-13.el9_8.1.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Rocky Linux:9 | – | httpd |
< 0:2.4.62-13.el9_8.1 Fix: upgrade to 0:2.4.62-13.el9_8.1
|
Original title
Important: httpd security update
Original description
The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.
Security Fix(es):
* httpd: mod_proxy_ajp: heap-based buffer over-read and memory disclosure in ajp_parse_data() (CVE-2026-34059)
* httpd: mod_proxy_ajp: heap-based buffer over-read due to missing null-termination check (CVE-2026-34032)
* httpd: mod_proxy_ajp: off-by-one out-of-bounds reads in AJP getter functions (CVE-2026-33857)
* httpd: mod_authn_socache: NULL pointer dereference can cause a child process crash (CVE-2026-33007)
* Apache HTTP Server: mod_proxy_ajp: Apache HTTP Server mod_proxy_ajp: Arbitrary code execution via heap-based buffer overflow (CVE-2026-28780)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Security Fix(es):
* httpd: mod_proxy_ajp: heap-based buffer over-read and memory disclosure in ajp_parse_data() (CVE-2026-34059)
* httpd: mod_proxy_ajp: heap-based buffer over-read due to missing null-termination check (CVE-2026-34032)
* httpd: mod_proxy_ajp: off-by-one out-of-bounds reads in AJP getter functions (CVE-2026-33857)
* httpd: mod_authn_socache: NULL pointer dereference can cause a child process crash (CVE-2026-33007)
* Apache HTTP Server: mod_proxy_ajp: Apache HTTP Server mod_proxy_ajp: Arbitrary code execution via heap-based buffer overflow (CVE-2026-28780)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
osv CVSS3.1
8.2
- https://errata.rockylinux.org/RLSA-2026:21391 Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2464940 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2464952 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2464953 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2465299 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2466913 Third Party Advisory
Published: 30 May 2026 · Updated: 30 May 2026 · First seen: 30 May 2026