Apache HTTP Server 2.4.66 mod_dav_lock Null PTR Crash
CVE-2026-29169 Published on May 4, 2026
Apache HTTP Server: mod_dav_lock indirect lock crash
A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs.
The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0.
Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock.
Vulnerability Analysis
CVE-2026-29169 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Timeline
Report received
2.4.67 released 61 days later.
fixed in 2.4.x by r1933354
Weakness Type
NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions.
Products Associated with CVE-2026-29169
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-29169 are published in these products:
Affected Versions
Apache Software Foundation Apache HTTP Server:- Before and including 2.4.66 is affected.