cbcvebase.
CVE-2026-29167
published 2026-06-08

CVE-2026-29167: Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration This issue affects Apache HTTP Server: from 2.4.0 through…

PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.66%
47.0th percentile
Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.

Affected

3 ranges
VendorProductVersion rangeFixed in
apachehttp_server>= 2.4.0 < 2.4.682.4.68
apachehttpd
apache_software_foundationapache_http_server2.4.0 – 2.4.67

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is only triggerable when mod_ldap is loaded AND configured in a per-directory context (<Directory>, <Location>, <Files>, or .htaccess). Server-wide LDAP configuration does not trigger the use-after-free.
  • The UAF occurs in the per-directory configuration merge path, not in the hot request-handling path. Detection focus should be on config-merge-time crashes (child process segfaults) in Apache prefork/worker/event MPMs when mod_ldap per-directory config is present.
  • Realistic exploitation outcome is a transient DoS via child process segfault (parent respawns workers). Monitor Apache error logs for repeated child process crashes (segfaults) when mod_ldap per-directory config is active.
  • Affected version range is Apache HTTP Server 2.4.0 through 2.4.67. Audit deployed httpd version strings to identify vulnerable instances.
  • ·mod_ldap is not loaded by default in Apache HTTP Server. The vulnerability only manifests when mod_ldap is explicitly loaded AND LDAP directives are placed in a per-directory context (<Directory>, <Location>, <Files>, or .htaccess). Server-wide LDAP configuration is NOT affected.
  • ·RCE reliability is substantially reduced by Apache's process model. In prefork MPM, a crash kills only one child process and the parent respawns it. In worker/event MPMs, per-process address space isolation further limits exploit reliability. Practical impact is most likely transient DoS, not code execution.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.