Apache HTTP Server 2.4.68: thirteen CVEs in one patch — update now

On June 8, 2026, the Apache Software Foundation released Apache HTTP Server 2.4.68, closing 13 vulnerabilities in a single shot — use-after-free conditions, buffer overflows, XSS, HTTP/2 denial-of-service, privilege escalation through .htaccess, and an out-of-bounds read. Every version from 2.4.0 through 2.4.67 is affected. There are no workarounds for most of these issues — only upgrading fixes them.

Thirteen CVEs in one release isn’t routine. It means multiple independent researchers were working over the same codebase simultaneously and coordinated their disclosures. The most telling detail: CVE-2026-44119, the privilege escalation through .htaccess, was found by 10 independent researchers at the same time. When ten people find the same bug in parallel, the odds that an eleventh found it first and stayed quiet are uncomfortably high.

WHAT HAPPENED

Two use-after-free vulnerabilities. CVE-2026-29167 affects mod_ldap in per-directory configurations, where a dangling pointer can be triggered across versions 2.4.0–2.4.67 — discovered by Pavel Kohout of Aisle Research. CVE-2026-48913 fires in mod_http2 when file handles are already exhausted, covering the narrower range 2.4.55–2.4.67 — reported by Sam Lovejoy of IBM X-Force Offensive Research. Both carry the risk of memory corruption and unpredictable process behaviour.

Privilege escalation via .htaccess — CVE-2026-44119 (moderate severity). A flaw in the expression evaluation engine (ap_expr) across multiple modules lets local .htaccess authors read arbitrary files with the privileges of the httpd user. In practice: if an attacker can create or modify a .htaccess file — through a compromised web application, a hosting control panel, or any other vector — they can use crafted expressions to access files readable by the Apache process. On a shared hosting server, that potentially means configuration files and application secrets belonging to every other site on the same box.

HTTP/2 denial-of-service — CVE-2026-49975 (moderate). Malicious HTTP/2 requests trigger unbounded memory allocation in mod_http2, which under sufficient load exhausts available memory and crashes the server. This affects versions 2.4.17–2.4.67 — essentially anything running HTTP/2. The vulnerability was discovered by Quang Luong of Calif.IO in collaboration with OpenAI Codex.

Four buffer overflows. CVE-2026-34355 (moderate) in mod_proxy_html is exploitable by an untrusted backend server — in a reverse proxy setup, a malicious backend response can corrupt Apache’s process memory. CVE-2026-34356 (low) is a heap overflow in ProxyPassReverseCookieMap triggered through malicious backend responses. CVE-2026-42536 (low) is a heap overflow in mod_xml2enc when processing untrusted content. CVE-2026-44631 (low) is a heap underwrite in ap_regname caused by a signed char overflow in crafted regular expressions in the server configuration.

Five more fixes round out the release. CVE-2026-29170 (low) is an XSS flaw in mod_proxy_ftp‘s directory listing generation — when Apache proxies FTP content, unsanitized output can inject scripts into a user’s browser. CVE-2026-43951 (moderate) is an out-of-bounds read in merge_response_headers when mod_headers and mod_mime process multiple response languages, crashing the child process and causing a brief service interruption. CVE-2026-42535 (moderate) is a path handling flaw in mod_dav_fs that lets WebDAV authors directly manipulate trusted DAV property databases — particularly risky on servers with multi-user WebDAV access. CVE-2026-44185 (low) is a stack buffer over-read in mod_ssl‘s OCSP handler, triggerable through an attacker-controlled OCSP server. CVE-2026-44186 (moderate) is an infinite loop in the mod_proxy_ftp handler — if Apache proxies an FTP server under the attacker’s control, they can hang the worker process with deliberately malformed responses.

WHY IT MATTERS

Apache still powers a huge share of web infrastructure, especially on shared hosting and in enterprise environments. CVE-2026-44119 hits that context hard: write access to a site’s directory is reachable through dozens of vectors on a typical shared host — a vulnerable web application, compromised FTP credentials, a control panel flaw. Once an attacker can write a .htaccess file, they can craft expressions that read files belonging to the Apache process. On a shared server that means configuration files and application secrets belonging to every other tenant on the machine.

CVE-2026-49975 is relevant to any publicly accessible Apache with HTTP/2 enabled — which describes most modern deployments. The attack requires no authentication: send a stream of crafted HTTP/2 requests that provoke unbounded memory allocation, and under enough load the server runs out of memory and crashes. It’s a textbook unauthenticated DoS.

The two use-after-free vulnerabilities, while rated low severity, are worth taking seriously in the context of attack chains. A use-after-free in mod_ldap under per-directory configuration may be unreliable to exploit on its own, but undefined process behaviour in a web server is exactly what a determined researcher will keep pulling on. The buffer overflows in the proxy modules matter most in environments with untrusted backends — reverse proxies in front of legacy applications, outbound proxying to third-party APIs, any scenario where Apache stands between your infrastructure and something you don’t fully control.

WHAT TO DO

Upgrade Apache to 2.4.68 — it’s the only way to close most of these vulnerabilities, and there are no workarounds. On Debian and Ubuntu the package is apache2 — apt update syncs the package lists, apt install apache2 installs the current version:

sudo apt update && sudo apt install apache2

On RHEL, CentOS, and Fedora the package is httpd. After updating, restart the service explicitly and check the version — the output of httpd -v should show Server version: Apache/2.4.68:

sudo dnf update httpd
sudo systemctl restart httpd
httpd -v

On Debian and Ubuntu, verify that Apache restarted cleanly after the package update — systemctl status apache2 should show active (running). Then confirm the installed version with apache2 -v, which should report Server version: Apache/2.4.68:

sudo systemctl status apache2
apache2 -v

One important nuance: distributions sometimes backport security patches into older package versions without bumping the Apache version number. If apache2 -v shows an older version but the package was recently updated, check your distribution’s changelog — the fixes from 2.4.68 may already be present. The apt-cache policy apache2 command shows what’s installed versus what’s available in the repository, letting you confirm the build date:

apt-cache policy apache2

If an immediate upgrade isn’t possible, reduce your exposure by disabling modules you’re not using. If mod_ldap with per-directory LDAP authentication isn’t in use — disable it. If mod_proxy_ftp isn’t needed — disable it. If HTTP/2 isn’t required, disabling mod_http2 removes the CVE-2026-49975 DoS vector. This isn’t a substitute for patching, but it narrows the attack surface in the meantime:

sudo a2dismod ldap authnz_ldap
sudo a2dismod proxy_ftp
sudo a2dismod http2
sudo systemctl restart apache2

Note: a2dismod is a Debian/Ubuntu tool. On RHEL-compatible systems, disable modules by commenting out the relevant LoadModule directives in /etc/httpd/conf.modules.d/ and restarting the service.

CONCLUSIONS

Apache 2.4.68 is a mandatory upgrade. Thirteen CVEs including privilege escalation via .htaccess and an unauthenticated HTTP/2 DoS don’t leave much room for delay. Any installation running 2.4.0 through 2.4.67 is exposed on multiple vectors simultaneously.

The priorities shift depending on your setup. Shared hosting providers need CVE-2026-44119 closed first — it’s a direct risk to every customer on the server. Public-facing servers running HTTP/2 should treat CVE-2026-49975 as the urgent item — unauthenticated DoS with no workaround. Reverse proxies in front of untrusted backends need the proxy module fixes. But the honest answer for everyone is the same: upgrade to Apache 2.4.68.