Apache HTTP Server 2.4.67 mod_proxy_html Buffer Overflow CVE-2026-34355
CVE-2026-34355 Published on June 8, 2026
Apache HTTP Server: mod_proxy_html buffer overflow
A buffer overflow in mod_proxy_html in Apache HTTP Server 2.4.67 and earlier allows an attack by an untrusted backend.
Users are recommended to upgrade to version 2.4.68, which fixes this issue.
Vulnerability Analysis
CVE-2026-34355 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Timeline
Report received
fixed in 2.4.x by r1934977 75 days later.
2.4.68 released 4 days later.
Weakness Type
Heap-based Buffer Overflow
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Products Associated with CVE-2026-34355
stack.watch emails you whenever new vulnerabilities are published in Apache HTTP Server or Microsoft Http Server. Just hit a watch button to start following.
Affected Versions
Apache Software Foundation Apache HTTP Server:- Version 2.4.0, <= 2.4.67 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.