CVE-2026-44631 is a vulnerability in Apache HTTP Server
Published on June 8, 2026
Apache HTTP Server: Heap Underflow in `ap_regname` via Signed Char Overflow
Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration.
This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.
Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Timeline
reported
fixed in 2.4.x by r1935015 39 days later.
2.4.68 released 3 days later.
Weakness Type
What is a buffer underrun Vulnerability?
The software writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer. This typically occurs when a pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the valid memory location, or when a negative index is used.
CVE-2026-44631 has been classified to as a buffer underrun vulnerability or weakness.
Products Associated with CVE-2026-44631
Want to know whenever a new CVE is published for Apache HTTP Server? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache HTTP Server:- Version 2.4.0, <= 2.4.67 is affected.