Apache HTTP Server 2.4.66: mod_authn_socache NULL deref crash (before 2.4.67)
CVE-2026-33007 Published on May 4, 2026
Apache HTTP Server: mod_authn_socache crash
A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration.
Users are recommended to upgrade to version 2.4.67, which fixes this issue.
Vulnerability Analysis
CVE-2026-33007 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.
Timeline
Report received
2.4.67 released 61 days later.
fixed in 2.4.x by r1933358
Weakness Type
NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions.
Products Associated with CVE-2026-33007
Want to know whenever a new CVE is published for Apache HTTP Server? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache HTTP Server:- Version 2.4.0, <= 2.4.66 is affected.