{
  "threat_severity" : "Moderate",
  "public_date" : "2026-05-04T12:54:54Z",
  "bugzilla" : {
    "description" : "httpd: mod_proxy_ajp: heap-based buffer over-read due to missing null-termination check",
    "id" : "2464952",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2464952"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-170",
  "details" : [ "A flaw was found in the mod_proxy_ajp module of httpd. When processing AJP (Apache JServ Protocol) messages, the server fails to properly check if a string is null-terminated before attempting to read it, allowing an attacker or a malformed request to cause a heap-based buffer over-read. This issue potentially leads to memory disclosure and a denial of service." ],
  "statement" : "To exploit this issue, the Apache HTTP Server must be configured to connect to an untrusted or compromised AJP backend server, limiting its exposure. Due to this reason, this flaw has been rated with a moderate severity.\nThis flaw only affects configurations with mod_proxy_ajp loaded and being used. This module can be disabled via the configuration file if its functionality is not being used.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-05-27T00:00:00Z",
    "advisory" : "RHSA-2026:21433",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.2",
    "package" : "httpd-0:2.4.63-13.el10_2.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-27T00:00:00Z",
    "advisory" : "RHSA-2026:21391",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "httpd-0:2.4.62-13.el9_8.1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-05-06T00:00:00Z",
    "advisory" : "RHSA-2026:13938",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "httpd-main-2.4.67-0.1.hum1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "httpd:2.4/httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat JBoss Core Services",
    "fix_state" : "Affected",
    "package_name" : "mod_proxy_ajp.so",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-34032\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34032\nhttps://httpd.apache.org/security/vulnerabilities_24.html" ],
  "name" : "CVE-2026-34032",
  "mitigation" : {
    "value" : "Disabling mod_proxy_ajp and restarting httpd will mitigate this flaw.",
    "lang" : "en:us"
  },
  "csaw" : false
}