Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-06-08T15:19:23 httpd: Apache HTTP Server: Denial of Service via crafted regular expressions 7.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H CWE-124

Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.

A flaw was found in Apache HTTP Server. This buffer underwrite vulnerability occurs when processing crafted regular expressions in the server's configuration. An attacker could potentially exploit this to cause a denial of service.

This Moderate impact buffer underwrite flaw in Apache HTTP Server can lead to a denial of service. The vulnerability occurs when processing specially crafted regular expressions within the server's configuration. Exploitation requires a high attack complexity, indicating that specific conditions or a complex attack vector are necessary, thereby limiting the practical risk in typical Red Hat deployments where configuration changes are tightly controlled. Only loadtrustedApache configuration; the bug triggers oncrafted regexin config at start/reload (DirectoryMatch,Directory ~,ProxyMatch, etc.). Keep AllowOverride None where possible so untrusted users cannot inject regex via .htaccess. Restrict who can change httpdconfig and reload the service. Red Hat Enterprise Linux 10 Affected httpd Red Hat Enterprise Linux 6 Affected httpd Red Hat Enterprise Linux 7 Affected httpd Red Hat Enterprise Linux 8 Affected httpd Red Hat Enterprise Linux 9 Affected httpd Red Hat Hardened Images Affected httpd https://www.cve.org/CVERecord?id=CVE-2026-44631 https://nvd.nist.gov/vuln/detail/CVE-2026-44631 https://httpd.apache.org/security/vulnerabilities_24.html