cbcvebase.
CVE-2026-44631
published 2026-06-08

CVE-2026-44631: Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration. This issue affects Apache HTTP Server: from 2.4.0…

PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.49%
38.2th percentile
Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.

Affected

3 ranges
VendorProductVersion rangeFixed in
apachehttp_server>= 2.4.0 < 2.4.682.4.68
apachehttpd
apache_software_foundationapache_http_server2.4.0 – 2.4.67

Detection & IOCsextracted from sources · hover to see the quote

  • Exploitation requires a crafted regular expression in Apache HTTP Server configuration directives such as DirectoryMatch, Directory ~, ProxyMatch, etc., processed at parse/reload time — monitor configuration changes involving these directives for anomalous or overly complex regex patterns.
  • The bug triggers on crafted regex in config at start/reload via directives including DirectoryMatch, Directory ~, ProxyMatch — audit these directives in httpd configuration files for unexpected or injected regex.
  • Vulnerable code path is in ap_regname(); patch reference is SVN r1935015 — use this to identify unpatched binaries or validate backport status.
  • Apache HTTP Server versions 2.4.0 through 2.4.67 are affected; presence of these versions in inventory should be flagged for patching.
  • ·AllowOverride None (the default RHEL configuration) prevents untrusted users from injecting crafted regex via .htaccess, significantly reducing attack surface — verify this setting is enforced.
  • ·Remote unauthenticated HTTP clients cannot directly trigger this flaw; exploitation is limited to those who can modify httpd configuration and trigger a reload/restart.
  • ·Restrict who can modify httpd configuration and reload the service to minimize exploitation risk.
  • ·Only load trusted Apache configuration to prevent exploitation; the vulnerability is triggered at server start or reload time via crafted regex in config.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.