{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-44631", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-05-07T12:39:02.065Z", "datePublished": "2026-06-08T15:19:23.570Z", "dateUpdated": "2026-06-08T22:32:33.325Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache HTTP Server", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.4.67", "status": "affected", "version": "2.4.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Zhenpeng (Leo) Lin at depthfirst"}, {"lang": "en", "type": "finder", "value": "Bartlomiej Dmitruk"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration.</p><p>This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.</p><p>Users are recommended to upgrade to version 2.4.68, which fixes the issue.</p>"}], "value": "Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration.\n\nThis issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.\n\nUsers are recommended to upgrade to version 2.4.68, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-124", "description": "CWE-124: Buffer Underwrite", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-06-08T15:19:23.570Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2026-04-27T12:00:00.000Z", "value": "reported"}, {"lang": "en", "time": "2026-06-05T12:00:00.000Z", "value": "fixed in 2.4.x by r1935015"}, {"lang": "eng", "time": "2026-06-08T12:00:00.000Z", "value": "2.4.68 released"}], "title": "Apache HTTP Server: Heap Underflow in `ap_regname` via Signed Char Overflow", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-06-08T19:43:09.481041Z", "id": "CVE-2026-44631", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-08T19:43:13.169Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/06/08/14"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-06-08T22:32:33.325Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/06/08/14"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-06-08T22:32:33.325Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-44631", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-08T19:43:09.481041Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-08T19:43:03.009Z"}}], "cna": {"title": "Apache HTTP Server: Heap Underflow in `ap_regname` via Signed Char Overflow", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Zhenpeng (Leo) Lin at depthfirst"}, {"lang": "en", "type": "finder", "value": "Bartlomiej Dmitruk"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache HTTP Server", "versions": [{"status": "affected", "version": "2.4.0", "versionType": "semver", "lessThanOrEqual": "2.4.67"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-27T12:00:00.000Z", "value": "reported"}, {"lang": "en", "time": "2026-06-05T12:00:00.000Z", "value": "fixed in 2.4.x by r1935015"}, {"lang": "eng", "time": "2026-06-08T12:00:00.000Z", "value": "2.4.68 released"}], "references": [{"url": "https://httpd.apache.org/security/vulnerabilities_24.html", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration.\n\nThis issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.\n\nUsers are recommended to upgrade to version 2.4.68, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration.</p><p>This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.</p><p>Users are recommended to upgrade to version 2.4.68, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-124", "description": "CWE-124: Buffer Underwrite"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-06-08T15:19:23.570Z"}}}, "cveMetadata": {"cveId": "CVE-2026-44631", "state": "PUBLISHED", "dateUpdated": "2026-06-08T22:32:33.325Z", "dateReserved": "2026-05-07T12:39:02.065Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-06-08T15:19:23.570Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "03F07E89-F9BF-4913-8250-F79447AA6EBD", "versionEndExcluding": "2.4.68", "versionStartIncluding": "2.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration.\n\nThis issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.\n\nUsers are recommended to upgrade to version 2.4.68, which fixes the issue."}], "id": "CVE-2026-44631", "lastModified": "2026-06-11T04:01:49.173", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-06-08T16:16:40.583", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/06/08/14"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-124"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "httpd: Apache HTTP Server: Denial of Service via crafted regular expressions", "id": "2486399", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2486399"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-124", "details": ["Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration.\nThis issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.\nUsers are recommended to upgrade to version 2.4.68, which fixes the issue.", "A flaw was found in Apache HTTP Server. This buffer underwrite vulnerability occurs when processing crafted regular expressions in the server's configuration. An attacker could potentially exploit this to cause a denial of service."], "mitigation": {"lang": "en:us", "value": "Only loadtrustedApache configuration; the bug triggers oncrafted regexin config at start/reload (DirectoryMatch,Directory ~,ProxyMatch, etc.).\nKeep AllowOverride None where possible so untrusted users cannot inject regex via .htaccess.\nRestrict who can change httpdconfig and reload the service."}, "name": "CVE-2026-44631", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "httpd", "product_name": "Red Hat Hardened Images"}], "public_date": "2026-06-08T15:19:23Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-44631\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-44631\nhttps://httpd.apache.org/security/vulnerabilities_24.html"], "statement": "Affected httpd versions include vulnerable ap_regname() code. Exploitation requires a crafted regular expression in Apache configuration at parse/reload time. Default RHEL configurations use AllowOverride None, which prevents untrusted .htaccess injection. Remote unauthenticated HTTP clients cannot trigger this flaw. Most likely impact is availability (crash/DoS on reload) rather than demonstrated code execution. Fix: backport SVN r1935015 or upgrade to httpd 2.4.68.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.4.0,2.4.67]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache HTTP Server", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "apache_http_server", "vendor": "apache"}], "created": "2026-06-08T16:30:06.602519+00:00", "updated": "2026-06-08T21:30:06.439326+00:00", "vendors": ["apache", "apache$PRODUCT$apache_http_server"]}