CVE-2026-29167
published 2026-06-08CVE-2026-29167: Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration This issue affects Apache HTTP Server: from 2.4.0 through…
PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.66%
47.0th percentile
Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration
This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.
Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | http_server | >= 2.4.0 < 2.4.68 | 2.4.68 |
| apache | httpd | — | — |
| apache_software_foundation | apache_http_server | 2.4.0 – 2.4.67 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is only triggerable when mod_ldap is loaded AND configured in a per-directory context (<Directory>, <Location>, <Files>, or .htaccess). Server-wide LDAP configuration does not trigger the use-after-free. ↗
- →The UAF occurs in the per-directory configuration merge path, not in the hot request-handling path. Detection focus should be on config-merge-time crashes (child process segfaults) in Apache prefork/worker/event MPMs when mod_ldap per-directory config is present. ↗
- →Realistic exploitation outcome is a transient DoS via child process segfault (parent respawns workers). Monitor Apache error logs for repeated child process crashes (segfaults) when mod_ldap per-directory config is active. ↗
- →Affected version range is Apache HTTP Server 2.4.0 through 2.4.67. Audit deployed httpd version strings to identify vulnerable instances. ↗
- ·mod_ldap is not loaded by default in Apache HTTP Server. The vulnerability only manifests when mod_ldap is explicitly loaded AND LDAP directives are placed in a per-directory context (<Directory>, <Location>, <Files>, or .htaccess). Server-wide LDAP configuration is NOT affected. ↗
- ·RCE reliability is substantially reduced by Apache's process model. In prefork MPM, a crash kills only one child process and the parent respawns it. In worker/event MPMs, per-process address space isolation further limits exploit reliability. Practical impact is most likely transient DoS, not code execution. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Apache HTTP Server up to 2.4.67 mod_ldap use after free (EUVD-2026-35086)
vuldb·2026-06-09
CVE-2026-29167 [CRITICAL] Apache HTTP Server up to 2.4.67 mod_ldap use after free (EUVD-2026-35086)
A vulnerability has been found in Apache HTTP Server up to 2.4.67 and classified as critical. This issue affects some unknown processing of the component mod_ldap. The manipulation leads to use after free.
This vulnerability is uniquely identified as CVE-2026-29167. The attack is possible to be carried out remotely. No exploit exists.
The affected component should be upgraded.
GHSA
Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.
ghsa_unreviewed·2026-06-08
CVE-2026-29167 [CRITICAL] CWE-416 Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.
Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration
This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.
Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Red Hat
httpd: Apache HTTP Server: Arbitrary code execution or denial of service via use-after-free in mod_ldap per-directory configuration
vendor_redhat·2026-06-08·CVSS 9.8
CVE-2026-29167 [CRITICAL] CWE-825 httpd: Apache HTTP Server: Arbitrary code execution or denial of service via use-after-free in mod_ldap per-directory configuration
httpd: Apache HTTP Server: Arbitrary code execution or denial of service via use-after-free in mod_ldap per-directory configuration
Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration
This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.
Users are recommended to upgrade to version 2.4.68, which fixes the issue.
A flaw was found in Apache HTTP Server when using the `mod_ldap` module in a per-directory configuration. This use-after-free vulnerability allows a remote attacker to potentially execute arbitrary code or cause a denial of service (DoS) due to improper memory handling. This could lead to system instability or unauthorized control over the affected server.
Statement: CISA's 9.8 is a mechanical worst-case UAF score. Their vec
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-29167 httpd: Apache HTTP Server: Arbitrary code execution or denial of service via use-after-free in mod_ldap per-directory configuration [fedora-all]
bugzilla·2026-06-30·CVSS 9.8
CVE-2026-29167 [CRITICAL] CVE-2026-29167 httpd: Apache HTTP Server: Arbitrary code execution or denial of service via use-after-free in mod_ldap per-directory configuration [fedora-all]
CVE-2026-29167 httpd: Apache HTTP Server: Arbitrary code execution or denial of service via use-after-free in mod_ldap per-directory configuration [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration
This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.
Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Bugzilla
CVE-2026-29167 httpd: Apache HTTP Server: Arbitrary code execution or denial of service via use-after-free in mod_ldap per-directory configuration
bugzilla·2026-06-08·CVSS 9.8
CVE-2026-29167 [CRITICAL] CVE-2026-29167 httpd: Apache HTTP Server: Arbitrary code execution or denial of service via use-after-free in mod_ldap per-directory configuration
CVE-2026-29167 httpd: Apache HTTP Server: Arbitrary code execution or denial of service via use-after-free in mod_ldap per-directory configuration
Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration
This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.
Users are recommended to upgrade to version 2.4.68, which fixes the issue.
2026-06-08
Published