CVE-2026-44631
published 2026-06-08CVE-2026-44631: Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration. This issue affects Apache HTTP Server: from 2.4.0…
PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.49%
38.2th percentile
Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration.
This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.
Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | http_server | >= 2.4.0 < 2.4.68 | 2.4.68 |
| apache | httpd | — | — |
| apache_software_foundation | apache_http_server | 2.4.0 – 2.4.67 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploitation requires a crafted regular expression in Apache HTTP Server configuration directives such as DirectoryMatch, Directory ~, ProxyMatch, etc., processed at parse/reload time — monitor configuration changes involving these directives for anomalous or overly complex regex patterns. ↗
- →The bug triggers on crafted regex in config at start/reload via directives including DirectoryMatch, Directory ~, ProxyMatch — audit these directives in httpd configuration files for unexpected or injected regex. ↗
- →Vulnerable code path is in ap_regname(); patch reference is SVN r1935015 — use this to identify unpatched binaries or validate backport status. ↗
- →Apache HTTP Server versions 2.4.0 through 2.4.67 are affected; presence of these versions in inventory should be flagged for patching. ↗
- ·AllowOverride None (the default RHEL configuration) prevents untrusted users from injecting crafted regex via .htaccess, significantly reducing attack surface — verify this setting is enforced. ↗
- ·Remote unauthenticated HTTP clients cannot directly trigger this flaw; exploitation is limited to those who can modify httpd configuration and trigger a reload/restart. ↗
- ·Restrict who can modify httpd configuration and reload the service to minimize exploitation risk. ↗
- ·Only load trusted Apache configuration to prevent exploitation; the vulnerability is triggered at server start or reload time via crafted regex in config. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Apache HTTP Server up to 2.4.67 ap_regname heap-based overflow (EUVD-2026-35095)
vuldb·2026-06-08·CVSS 9.8
CVE-2026-44631 [CRITICAL] Apache HTTP Server up to 2.4.67 ap_regname heap-based overflow (EUVD-2026-35095)
A vulnerability classified as critical has been found in Apache HTTP Server up to 2.4.67. This vulnerability affects the function ap_regname. Performing a manipulation results in heap-based buffer overflow.
This vulnerability is reported as CVE-2026-44631. The attack requires a local approach. No exploit exists.
It is recommended to upgrade the affected component.
GHSA
Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration.
ghsa_unreviewed·2026-06-08
CVE-2026-44631 [CRITICAL] CWE-124 Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration.
Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration.
This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.
Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Red Hat
httpd: Apache HTTP Server: Denial of Service via crafted regular expressions
vendor_redhat·2026-06-08·CVSS 9.8
CVE-2026-44631 [CRITICAL] CWE-124 httpd: Apache HTTP Server: Denial of Service via crafted regular expressions
httpd: Apache HTTP Server: Denial of Service via crafted regular expressions
Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration.
This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.
Users are recommended to upgrade to version 2.4.68, which fixes the issue.
A flaw was found in Apache HTTP Server. This buffer underwrite vulnerability occurs when processing crafted regular expressions in the server's configuration. An attacker could potentially exploit this to cause a denial of service.
Statement: Affected httpd versions include vulnerable ap_regname() code. Exploitation requires a crafted regular expression in Apache configuration at parse/reload time. Default RHEL configurations use AllowOverride None, which prevents unt
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-44631 httpd: Apache HTTP Server: Denial of Service via crafted regular expressions [fedora-all]
bugzilla·2026-06-12·CVSS 9.8
CVE-2026-44631 [CRITICAL] CVE-2026-44631 httpd: Apache HTTP Server: Denial of Service via crafted regular expressions [fedora-all]
CVE-2026-44631 httpd: Apache HTTP Server: Denial of Service via crafted regular expressions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44631 httpd: Apache HTTP Server: Denial of Service via crafted regular expressions
bugzilla·2026-06-08·CVSS 9.8
CVE-2026-44631 [CRITICAL] CVE-2026-44631 httpd: Apache HTTP Server: Denial of Service via crafted regular expressions
CVE-2026-44631 httpd: Apache HTTP Server: Denial of Service via crafted regular expressions
Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration.
This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.
Users are recommended to upgrade to version 2.4.68, which fixes the issue.
2026-06-08
Published