The Apache Software Foundation has announced the release of Apache HTTP Server version 2.4.68 on June 8, 2026. This update addresses multiple security vulnerabilities, including use-after-free conditions, cross-site scripting (XSS), buffer overflows, denial-of-service (DoS) attacks, privilege escalation, and out-of-bounds read issues. Administrators are strongly encouraged to upgrade to this latest version to ensure the security and stability of their web servers.
Key Security Fixes in Apache HTTP Server 2.4.68
1. Use-After-Free Vulnerabilities:
– CVE-2026-29167: Affects the `mod_ldap` module in per-directory configurations, leading to potential dangling pointers. This issue spans versions 2.4.0 through 2.4.67 and was identified by Pavel Kohout of Aisle Research.
– CVE-2026-48913: Impacts the `mod_http2` module when file handles are exhausted, potentially causing use-after-free conditions. This vulnerability affects versions 2.4.55 through 2.4.67 and was reported by Sam Lovejoy of IBM X-Force Offensive Research (XOR).
2. Cross-Site Scripting (XSS):
– CVE-2026-29170: An XSS flaw in the `mod_proxy_ftp` module’s HTML directory listing generation. When Apache proxies FTP directory contents, unsanitized output can allow script injection. This low-severity issue affects all versions up to 2.4.67 and was discovered by Pavel Kohout.
3. Buffer Overflow and Memory Corruption:
– CVE-2026-34355: A buffer overflow in the `mod_proxy_html` module, exploitable by an untrusted backend server. This moderate-severity issue was found by Elhanan Haenel and Junhui Lee.
– CVE-2026-34356: A heap-based overflow in `ProxyPassReverseCookieMap`, triggered via malicious backend servers. This low-severity vulnerability was discovered by Arkadi Vainbrand and depthfirst.
– CVE-2026-42536: A heap overflow in the `mod_xml2enc` module via `xml2StartParse` with untrusted content. This low-severity issue was reported by Zhenpeng (Leo) Lin of depthfirst.
– CVE-2026-44631: A heap underwrite in `ap_regname` caused by signed char overflow in crafted regex configurations. This low-severity vulnerability was found by Zhenpeng (Leo) Lin and Bartlomiej Dmitruk.
4. Denial of Service (DoS):
– CVE-2026-49975: Allows memory allocation exhaustion in the `mod_http2` module via malicious HTTP/2 requests. This moderate-severity issue affects versions 2.4.17 through 2.4.67 and was discovered by Quang Luong of Calif.IO in collaboration with OpenAI Codex.
– CVE-2026-44186: Triggers an infinite loop in the `mod_proxy_ftp` module’s handler via an attacker-controlled backend FTP server. This moderate-severity vulnerability affects versions 2.4.0 through 2.4.67.
5. Other Notable Fixes:
– CVE-2026-43951: An out-of-bounds read in `merge_response_headers` when `mod_headers` and `mod_mime` handle multiple response languages, causing child process crashes. This moderate-severity issue affects versions 2.4.0 through 2.4.67.
– CVE-2026-42535: A path handling flaw in the `mod_dav_fs` module, allowing WebDAV authors to manipulate trusted DAV property databases. This moderate-severity vulnerability affects versions 2.4.0 through 2.4.67.
– CVE-2026-44185: A stack buffer over-read in the `mod_ssl` module’s OCSP `send_request` function via attacker-controlled OCSP servers. This low-severity issue affects versions 2.4.0 through 2.4.67.
– CVE-2026-44119: A privilege escalation flaw allowing local `.htaccess` authors to read files with `httpd` user privileges. This moderate-severity vulnerability affects versions 2.4.0 through 2.4.67 and was reported by multiple independent researchers.
Recommendations for Administrators
Given the range and severity of these vulnerabilities, it is imperative for administrators to upgrade to Apache HTTP Server version 2.4.68 without delay. This update not only addresses the aforementioned security issues but also includes various bug fixes and performance improvements.
How to Upgrade
To upgrade to Apache HTTP Server 2.4.68, follow these steps:
1. Backup Configuration Files: Before proceeding with the upgrade, ensure that all configuration files and critical data are backed up to prevent any loss during the update process.
2. Download the Latest Version: Visit the official Apache HTTP Server download page to obtain the latest release.
3. Verify Integrity: After downloading, verify the integrity of the files using the provided signatures and the KEYS file to ensure that the files have not been tampered with.
4. Follow Installation Instructions: Refer to the official installation documentation for guidance on compiling and installing the new version.
5. Test the Configuration: After installation, test your server configuration to ensure that all services are running correctly and that the server is secure.
Staying Informed
To stay updated on future releases and security advisories, consider subscribing to the Apache HTTP Server Project’s mailing lists or monitoring their official announcements. Regularly updating your server software is crucial in maintaining a secure
Security News
