CVE-2026-44631

9.8 CRITICAL

Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration

Published: 2026-06-08 · Last updated: 2026-06-11

Severity and scoring

CVSS: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-124

Affected products

Vendor	Product
apache	http_server

Description

Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-44631
[Vendor advisory]https://httpd.apache.org/security/vulnerabilities_24.html
[Other]http://www.openwall.com/lists/oss-security/2026/06/08/14

Related CVEs

Same vendor

CVE-2026-34905 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Answer (6.5 MEDIUM)
CVE-2026-34031 — Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer (6.5 MEDIUM)
CVE-2026-33582 — Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer (6.5 MEDIUM)
CVE-2026-25699 — Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer (6.1 MEDIUM)
CVE-2026-25688 — Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer (6.1 MEDIUM)

Same CWE

CVE-2024-36343 — Improper input validation in the System Management Mode (SMM) communications buffer could allow a privileged attacker to perform an out o...
CVE-2026-34253 — A buffer underflow vulnerability has been identified in the ogg123 utility from the vorbis-tools 1.4.3 package in function remotethread i... (8.2 HIGH)
CVE-2026-0966 — A flaw was found in libssh (8.2 HIGH)