CVE-2026-34032
Description
Important: httpd security update
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Description httpd: mod_proxy_ajp: heap-based buffer over-read due to missing null-termination check Red Hat statement To exploit this issue, the Apache HTTP Server must be configured to connect to an untrusted or compromised AJP backend server, limiting its exposure. Due to this reason, this flaw has been rated with a moderate severity. This flaw only affects configurations with mod_proxy_ajp…
Description
httpd: mod_proxy_ajp: heap-based buffer over-read due to missing null-termination check
Red Hat statement
To exploit this issue, the Apache HTTP Server must be configured to connect to an untrusted or compromised AJP backend server, limiting its exposure. Due to this reason, this flaw has been rated with a moderate severity. This flaw only affects configurations with mod_proxy_ajp loaded and being used. This module can be disabled via the configuration file if its functionality is not being used.
CVSS v3: 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat Enterprise Linux 10 | httpd-0:2.4.63-13.el10_2.1 | RHSA-2026:21433 | 2026-05-27T00:00:00Z |
| Red Hat Enterprise Linux 9 | httpd-0:2.4.62-13.el9_8.1 | RHSA-2026:21391 | 2026-05-27T00:00:00Z |
| Red Hat Hardened Images | httpd-main-2.4.67-0.1.hum1 | RHSA-2026:13938 | 2026-05-06T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 6 | httpd | Affected |
| Red Hat Enterprise Linux 7 | httpd | Affected |
| Red Hat Enterprise Linux 8 | httpd:2.4/httpd | Affected |
| Red Hat JBoss Core Services | mod_proxy_ajp.so | Affected |
Apply commands
yum update -y httpd
# or:
dnf upgrade -y httpdAffected
| Vendor | Product | Version |
|---|---|---|
| redhat | Red Hat Enterprise Linux 6 | Affected |
| redhat | Red Hat Enterprise Linux 7 | Affected |
| redhat | Red Hat Enterprise Linux 8 | Affected |
| redhat | Red Hat JBoss Core Services | Affected |
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 2.4.67-1~deb12u2 |
| debian | bullseye | fixed | 2.4.67-1~deb11u1 |
| debian | forky | fixed | 2.4.67-1 |
| debian | sid | fixed | 2.4.67-1 |
| debian | trixie | fixed | 2.4.67-1~deb13u2 |
| rhel | 9 | fixed | |
| sles | affected | | |
| almalinux | 9 | fixed | httpd-manual-2.4.62-13.el9_8.1.noarch.rpm |
| windows | affected | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| apache | http_server | {"endExcluding":"2.4.67"} | 2.4.67 |
References
- https://security-tracker.debian.org/tracker/CVE-2026-34032
- https://httpd.apache.org/security/vulnerabilities_24.html
- http://www.openwall.com/lists/oss-security/2026/05/04/16
- https://www.suse.com/security/cve/CVE-2026-34032.html
- https://access.redhat.com/errata/RHSA-2026:21391
- https://bugzilla.redhat.com/2464940
- https://bugzilla.redhat.com/2464952
- https://bugzilla.redhat.com/2464953
- https://bugzilla.redhat.com/2465299
- https://bugzilla.redhat.com/2466913
- https://errata.almalinux.org/9/ALSA-2026-21391.html
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34032
CWEs
CWE-125 CWE-170
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.