9.8

CVE-2026-28780

Medienbericht

Apache HTTP Server: buffer overflow in mod_proxy_ajp via ajp_msg_check_header()

Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server.
If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer.

This issue affects Apache HTTP Server: through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheHTTP Server Version < 2.4.67
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.38% 0.688
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 8.1 2.2 5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-122 Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
06.05.2026 13:40
https://httpd.apache.org/security/vulnerabilities_24.html
Vendor Advisory
Release Notes
http://www.openwall.com/lists/oss-security/2026/05/05/9
Third Party Advisory
Mailing List
https://bugzilla.redhat.com/show_bug.cgi?id=2466913
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-28780.json
https://access.redhat.com/errata/RHSA-2026:21391
https://access.redhat.com/errata/RHSA-2026:21433
https://access.redhat.com/errata/RHSA-2026:22140
https://access.redhat.com/errata/RHSA-2026:27200
https://access.redhat.com/errata/RHSA-2026:27201
https://access.redhat.com/errata/RHSA-2026:36373
https://access.redhat.com/security/cve/CVE-2026-28780
https://access.redhat.com/errata/RHSA-2026:36831
https://access.redhat.com/errata/RHSA-2026:36846