製品・ソフトウェアに関する情報
Vulnerability Search
Apache HTTP Server 2.4における複数の脆弱性に対するアップデート(2026年5月)
Title Apache HTTP Server 2.4における複数の脆弱性に対するアップデート(2026年5月)
Summary

The Apache Software Foundationから、Apache HTTP Server 2.4系における複数の脆弱性に対応したApache HTTP Server 2.4.67が公開されました。<ul><li>HTTP/2処理時の二重解放(CVE-2026-23918)</li><li>mod_rewriteにおける権限昇格(CVE-2026-24072)</li><li>mod_proxy_ajpにおけるバッファオーバーフロー(CVE-2026-28780)</li><li>mod_mdにおけるOCSP応答処理の不備(CVE-2026-29168)</li><li>mod_dav_lockにおけるNULLポインタ参照(CVE-2026-29169)</li><li>mod_auth_digestにおいてタイミング攻撃が可能となる問題(CVE-2026-33006)</li><li>mod_authn_socacheにおけるNULLポインタ参照(CVE-2026-33007)</li><li>バックエンドサーバからのステータス行処理の不備によりHTTPレスポンスが分割される問題(CVE-2026-33523)</li><li>mod_proxy_ajpにおける境界外読み取り(CVE-2026-33857)</li><li>mod_proxy_ajpにおけるNULL終端チェック不備による境界外読み取り(CVE-2026-34032)</li><li>mod_proxy_ajpにおけるヒープメモリの境界外読み取り(CVE-2026-34059)</li></ul>

Possible impacts 想定される影響は各脆弱性により異なりますが、次のような影響を受ける可能性があります。<ul><li>サービス運用妨害(DoS)状態にされたり、任意のコードが実行されたりする(CVE-2026-23918)</li><li>ローカルの .htaccess 作成権限を持つ攻撃者によって、httpd ユーザー権限でファイルが読み取られる(CVE-2026-24072)</li><li>悪意のある AJP サーバーと接続した場合、サービス運用妨害(DoS)が引き起こされる(CVE-2026-28780)</li><li>過剰なリソース消費が引き起こされる(CVE-2026-29168)</li><li>サービス運用妨害(DoS)が引き起こされる(CVE-2026-29169)</li><li>Digest認証が回避される(CVE-2026-33006)</li><li>キャッシングフォワードプロキシ構成において、子プロセスがクラッシュさせられる(CVE-2026-33007)</li><li>HTTP レスポンス分割攻撃を受ける(CVE-2026-33523)</li><li>メモリ内の情報が漏えいする(CVE-2026-33857)</li><li>メモリ内の情報が漏えいする(CVE-2026-34032)</li><li>メモリ内の情報が漏えいする(CVE-2026-34059)</li></ul>
Solution

[アップデートする] 開発者が提供する情報をもとに最新版へアップデートしてください。
Publication Date May 8, 2026, midnight
Registration Date May 11, 2026, 4:29 p.m.
Last Update May 11, 2026, 4:29 p.m.
Affected System
Apache Software Foundation
Apache HTTP Server 2.4.0から2.4.66まで - CVE-2026-33007、CVE-2026-33523
Apache HTTP Server 2.4.30から2.4.66まで - CVE-2026-29168
Apache HTTP Server 2.4.66 - CVE-2026-23918
Apache HTTP Server 2.4.66およびそれ以前 - CVE-2026-24072、CVE-2026-28780、CVE-2026-29169、CVE-2026-33006、CVE-2026-33857、CVE-2026-34032、CVE-2026-34059
CVE (情報セキュリティ 共通脆弱性識別子)
ベンダー情報
その他
Change Log
No Changed Details Date of change
1 [2026年05月11日]
  掲載		 May 11, 2026, 4:29 p.m.
NVD Vulnerability Information
CVE-2026-23918
Summary

Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.

This issue affects Apache HTTP Server: 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Publication Date May 5, 2026, 12:16 a.m.
Registration Date May 5, 2026, 4:06 a.m.
Last Update May 5, 2026, 3:16 a.m.
Related information, measures and tools
Common Vulnerabilities List
CVE-2026-24072
Summary

An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.

Users are recommended to upgrade to version 2.4.67, which fixes this issue.

Publication Date May 4, 2026, 10:16 p.m.
Registration Date May 5, 2026, 4:06 a.m.
Last Update May 5, 2026, 3:16 a.m.
Related information, measures and tools
Common Vulnerabilities List
CVE-2026-28780
Summary

Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server.
If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer.

This issue affects Apache HTTP Server: through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Publication Date May 6, 2026, 7:16 a.m.
Registration Date May 7, 2026, 4:07 a.m.
Last Update May 7, 2026, 1:16 a.m.
Related information, measures and tools
Common Vulnerabilities List
CVE-2026-29168
Summary

Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md via OCSP response data.

This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Publication Date May 5, 2026, 11:16 p.m.
Registration Date May 6, 2026, 4:07 a.m.
Last Update May 7, 2026, 3:39 a.m.
Affected software configurations
Configuration1 or higher or less more than less than
cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* 2.4.30 2.4.67
Related information, measures and tools
Common Vulnerabilities List
CVE-2026-29169
Summary

A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs.

The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0.

Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock.

Publication Date May 5, 2026, 12:16 a.m.
Registration Date May 5, 2026, 4:06 a.m.
Last Update May 5, 2026, 11:36 a.m.
Affected software configurations
Configuration1 or higher or less more than less than
cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* 2.4.67
Related information, measures and tools
Common Vulnerabilities List
CVE-2026-33006
Summary

A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker.

Users are recommended to upgrade to version 2.4.67, which fixes this issue.

Publication Date May 5, 2026, 12:16 a.m.
Registration Date May 5, 2026, 4:06 a.m.
Last Update May 5, 2026, 3:16 a.m.
Related information, measures and tools
Common Vulnerabilities List
CVE-2026-33007
Summary

A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration.

Users are recommended to upgrade to version 2.4.67, which fixes this issue.

Publication Date May 5, 2026, 12:16 a.m.
Registration Date May 5, 2026, 4:06 a.m.
Last Update May 5, 2026, 3:16 a.m.
Related information, measures and tools
Common Vulnerabilities List
CVE-2026-33523
Summary

HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers.

This issue affects Apache HTTP Server: from through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Publication Date May 5, 2026, 12:16 a.m.
Registration Date May 5, 2026, 4:06 a.m.
Last Update May 5, 2026, 3:16 a.m.
Related information, measures and tools
Common Vulnerabilities List
CVE-2026-33857
Summary

Out-of-bounds Read vulnerability in mod_proxy_ajp of

Apache HTTP Server.

This issue affects Apache HTTP Server: through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Publication Date May 4, 2026, 11:16 p.m.
Registration Date May 5, 2026, 4:06 a.m.
Last Update May 5, 2026, 3:16 a.m.
Related information, measures and tools
Common Vulnerabilities List
CVE-2026-34032
Summary

Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server.

This issue affects Apache HTTP Server: through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Publication Date May 4, 2026, 11:16 p.m.
Registration Date May 5, 2026, 4:06 a.m.
Last Update May 5, 2026, 3:16 a.m.
Related information, measures and tools
Common Vulnerabilities List
CVE-2026-34059
Summary

Buffer Over-read vulnerability in Apache HTTP Server.

This issue affects Apache HTTP Server: through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Publication Date May 4, 2026, 10:16 p.m.
Registration Date May 5, 2026, 4:06 a.m.
Last Update May 5, 2026, 3:16 a.m.
Related information, measures and tools
Common Vulnerabilities List