Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
Apache HTTP Server mod_proxy_ajp crashes with malicious server response
DEBIAN-CVE-2026-28780
Summary
A malicious server can send a message that causes the Apache HTTP Server's mod_proxy_ajp module to crash. This happens when mod_proxy_ajp connects to a server that sends a specially crafted message. To fix this issue, update to Apache HTTP Server version 2.4.67 or later.
What to do
- Update debian apache2 to version 2.4.67-1~deb12u2.
- Update debian apache2 to version 2.4.67-1~deb13u2.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Debian:11 | debian | apache2 | All versions |
| Debian:12 | debian | apache2 |
< 2.4.67-1~deb12u2 Fix: upgrade to 2.4.67-1~deb12u2
|
| Debian:13 | debian | apache2 |
< 2.4.67-1~deb13u2 Fix: upgrade to 2.4.67-1~deb13u2
|
| Debian:14 | debian | apache2 | All versions |
Original title
Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_pro...
Original description
Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
osv CVSS3.1
9.8
- https://security-tracker.debian.org/tracker/CVE-2026-28780 Vendor Advisory
Published: 5 May 2026 · Updated: 7 May 2026 · First seen: 7 May 2026