HIGH 7.5

CVE-2026-34355: Apache HTTP Server mod_proxy_html Buffer Overflow (DoS)

Apache HTTP Server versions 2.4.67 and earlier contain a buffer overflow vulnerability in the mod_proxy_html module. An attacker controlling a backend server can exploit this flaw to crash the web server, resulting in denial of service. The vulnerability requires network access but no authentication or user interaction. Upgrading to version 2.4.68 or later resolves the issue.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-120, CWE-122
Affected products
1 configuration(s)
Published / Modified
2026-06-08 / 2026-07-15

NVD description (verbatim)

A buffer overflow in mod_proxy_html in Apache HTTP Server 2.4.67 and earlier allows an attack by an untrusted backend. Users are recommended to upgrade to version 2.4.68, which fixes this issue.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-34355 is a stack or heap buffer overflow (CWE-120, CWE-122) in Apache HTTP Server's mod_proxy_html module. The module processes HTML content proxied from backend servers without sufficient bounds checking. A malicious or compromised backend can send specially crafted content that overflows a fixed-size buffer, triggering a crash. The CVSS 3.1 score of 7.5 reflects high availability impact with no confidentiality or integrity compromise. Attack complexity is low and no authentication is required.

Business impact

The denial-of-service impact means affected web servers become temporarily unavailable when exploited. For organizations relying on Apache to front-end backend services or reverse-proxy applications, this vulnerability can interrupt service availability. Downtime affects both external users and internal systems depending on backend. The ease of exploitation (no authentication required) makes this a practical concern for any exposed Apache instance using mod_proxy_html.

Affected systems

Apache HTTP Server 2.4.67 and earlier versions are affected. This includes all 2.4.x releases up to and including 2.4.67, plus earlier major versions if they contain mod_proxy_html. Organizations using Apache in reverse-proxy or content-transformation roles are at highest risk. The vulnerability does not affect web servers that do not load or use the mod_proxy_html module.

Exploitability

Exploitation is straightforward from a network perspective: no authentication, no user interaction, and low attack complexity. However, the attacker must control or compromise the backend server that Apache proxies to. This limits exploitation to scenarios where the backend is untrusted, misconfigured, or already compromised. For internal reverse-proxy setups with untrusted upstream sources, the risk is immediate.

Remediation

Upgrade Apache HTTP Server to version 2.4.68 or later, which contains the fix. Organizations unable to upgrade immediately should disable mod_proxy_html if it is not essential, or restrict backend connections to trusted sources only. Review firewall and network rules to minimize exposure to untrusted backend servers.

Patch guidance

Verify the availability of Apache HTTP Server 2.4.68 or later from the official Apache project repository or your system vendor. Test the upgrade in a non-production environment first to ensure compatibility with existing proxy configurations and modules. Most distributions will provide updated packages; use your package manager (apt, yum, etc.) to deploy. After upgrading, restart Apache and verify that proxy_html operations continue as expected.

Detection guidance

Monitor Apache error and access logs for unexpected crashes or server restarts coinciding with specific backend requests. Abnormal HTML content in proxy requests—especially binary or non-UTF8 data—may indicate an attack attempt. Network-based detection is difficult without deep packet inspection into proxied content. Enable detailed logging of mod_proxy_html if available, and consider segmenting backend networks to reduce attack surface.

Why prioritize this

High CVSS score (7.5) combined with low attack complexity and the prevalence of Apache in production environments warrant prompt attention. Although exploitation requires a malicious backend, supply-chain risks and internal compromises are realistic. Organizations with internet-facing reverse proxies pointing to untrusted or third-party backends should prioritize this immediately; those with strictly internal, trusted backend connections can schedule updates within standard maintenance windows.

Risk score, explained

CVSS 3.1 score of 7.5 (HIGH) reflects complete availability loss (denial of service) with no confidentiality or integrity impact. Network accessibility and low attack complexity increase the base score. The requirement for an attacker to control the backend limits real-world exploitation frequency but does not reduce the technical severity of the vulnerability itself.

Frequently asked questions

Does this affect my Apache server if mod_proxy_html is not loaded?

No. If mod_proxy_html is not compiled in or explicitly enabled in your Apache configuration, this vulnerability does not apply. Check your httpd.conf or module directory to confirm the module status.

Can I mitigate this without upgrading if my backends are all trusted?

Trusted internal backends reduce the risk surface significantly, but the vulnerability still exists in code. Upgrading to 2.4.68 is the proper fix. As an interim measure, you could use network segmentation to restrict backend connections, but this is not a substitute for patching.

What is the difference between CWE-120 and CWE-122 here?

Both are buffer overflow types. CWE-120 (Classic Buffer Overflow) and CWE-122 (Heap-based Buffer Overflow) are related weaknesses; the vulnerability likely touches both categories depending on the specific buffer involved in mod_proxy_html's HTML processing.

Will my proxy configuration settings change after upgrading to 2.4.68?

The fix is internal to the buffer handling logic. Your existing proxy and proxy_html directives should continue to work without modification. Always test in a staging environment before production deployment.

This analysis is based on CVE-2026-34355 as published on 2026-06-08. Specific patch availability, version compatibility, and deployment procedures may vary by distribution. Always consult the Apache HTTP Server security advisory and your vendor's documentation before deploying patches. No exploit code or weaponized proof-of-concept is provided. Organizations should conduct their own risk assessment and testing in alignment with their security policies. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).