HIGH 7.3

CVE-2026-44185: Apache HTTP Server Buffer Over-read via OCSP – Patch to 2.4.68

Apache HTTP Server contains a buffer over-read flaw that can be exploited when the server makes outbound OCSP (Online Certificate Status Protocol) requests to verify certificate revocation. An attacker controlling a malicious OCSP server can send specially crafted responses that cause the Apache process to read beyond allocated memory boundaries. This affects all versions from 2.4.0 through 2.4.67. The vulnerability allows information disclosure, integrity compromise, and service disruption, though exploitation requires the attacker to position themselves as a trusted OCSP responder or intercept OCSP traffic.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-125, CWE-126
Affected products
1 configuration(s)
Published / Modified
2026-06-08 / 2026-07-15

NVD description (verbatim)

Buffer Over-read vulnerability in Apache HTTP Server via outbound OCSP requests to an attacker controlled OCSP server This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-44185 is a buffer over-read vulnerability (CWE-125, CWE-126) in Apache HTTP Server's OCSP request handling. When Apache initiates outbound OCSP requests to validate client or peer certificates, an attacker-controlled OCSP server can return a malformed response that triggers out-of-bounds memory access in the server's response parsing logic. The vulnerability stems from insufficient bounds checking when processing OCSP responses. An attacker must either compromise or spoof an OCSP responder that the target Apache instance trusts. The buffer over-read can leak sensitive data from adjacent memory regions, corrupt internal state, or crash the server process.

Business impact

Organizations running vulnerable Apache HTTP Server versions may experience confidentiality breaches if OCSP responses are intercepted or manipulated, potential data leakage through memory disclosure, and service interruptions from crashes. For infrastructure relying on Apache for critical applications (web services, APIs, reverse proxies), exploitation could lead to unplanned downtime and exposure of sensitive information. The impact is heightened in environments with strict certificate validation policies or where OCSP stapling is not employed.

Affected systems

Apache HTTP Server versions 2.4.0 through 2.4.67 are affected. This encompasses most modern production deployments of Apache 2.4.x unless already patched. The vulnerability only manifests when the server is configured to make outbound OCSP requests, typically for client certificate validation or peer validation in reverse proxy scenarios. Default configurations with OCSP validation enabled or explicitly configured are at risk.

Exploitability

Exploitation requires network access to OCSP traffic or the ability to impersonate an OCSP responder that the target Apache server trusts. The attack vector is network-based with low complexity—no special privileges or user interaction needed. However, the attacker must successfully intercept or spoof OCSP communications, which is non-trivial in properly secured networks. The CVSS score of 7.3 (HIGH) reflects the combination of network-based attack surface, low attack complexity, and potential for multiple impact types (confidentiality, integrity, availability).

Remediation

Upgrade Apache HTTP Server to version 2.4.68 or later, which includes the fix for this buffer over-read vulnerability. Organizations unable to patch immediately should review OCSP configuration: disable OCSP validation if not operationally necessary, use OCSP stapling to reduce outbound OCSP requests, or implement network segmentation to restrict OCSP responder communication paths. Monitor logs for unexpected OCSP request failures or crashes related to certificate validation.

Patch guidance

Apply Apache HTTP Server version 2.4.68 as soon as feasible. Verify compatibility with your current modules and configurations before deploying to production. Test the patched version in a staging environment to ensure no regressions with certificate validation workflows. Package managers (apt, yum, apk) typically lag behind upstream releases by days to weeks; check your distribution's security advisories for availability. Prioritize patching systems handling client certificates or operating as reverse proxies.

Detection guidance

Monitor Apache error logs for segmentation faults (SIGSEGV) or abnormal termination during OCSP requests. Track OCSP request and response patterns—sudden spikes in failures or malformed response messages may indicate exploitation attempts. Use network intrusion detection to identify malicious OCSP responses or traffic anomalies. Review Apache access and SSL/TLS logs for unusual certificate validation behavior. Consider deploying memory-safety tools (AddressSanitizer) in staging to catch buffer violations before production exposure.

Why prioritize this

This vulnerability rates HIGH severity due to its network-accessible attack vector, low complexity, and potential for information disclosure combined with service disruption. While exploitation requires specific conditions (attacker-controlled OCSP server or traffic interception), the prevalence of Apache in production environments and the increasing use of client certificate authentication make it a meaningful risk. Patch quickly, especially for infrastructure handling sensitive data or critical services.

Risk score, explained

The CVSS 3.1 score of 7.3 reflects: Network-based attack vector (AV:N) with no authentication required (PR:N, UI:N), low attack complexity (AC:L), and impacts across confidentiality (C:L), integrity (I:L), and availability (A:L). The score does not account for the requirement to control an OCSP responder, which would reduce real-world exploitability in well-segmented networks. Threat actors with network positioning (ISP-level, BGP hijacking, DNS poisoning) would find this practical to exploit.

Frequently asked questions

Do we need to patch if we don't use client certificate authentication?

Possibly. The vulnerability applies to any outbound OCSP request Apache makes, including validation of peer certificates in reverse proxy or gateway scenarios. Review your Apache configuration for SSLVerifyClient, SSLVerifyDepth, and OCSP stapling settings. If OCSP requests are not configured, the attack surface is eliminated.

What's the difference between a buffer over-read and a buffer overflow?

A buffer over-read allows an attacker to read data beyond allocated memory without writing to it, leading to information disclosure. A buffer overflow writes excess data, enabling code execution or corruption. This vulnerability is over-read only, limiting the attacker to reading sensitive memory—still serious, but not as severe as overflow exploitation.

Will OCSP stapling eliminate the risk?

OCSP stapling significantly reduces risk by having the web server include a pre-fetched OCSP response from the certificate issuer, eliminating the need for client browsers to contact the OCSP responder directly. However, if Apache itself is configured to fetch OCSP responses for outbound peer validation, stapling alone does not protect against that specific traffic.

How long has this been exploitable?

The vulnerability affects Apache 2.4.0 through 2.4.67, dating back to 2012 for version 2.4.0. However, real-world exploitation would require an attacker to control or intercept OCSP traffic, which is not trivial. No public evidence of exploitation in the wild has been reported as of the current date.

This analysis is based on publicly available vulnerability data and vendor advisories as of the publication date. Specific patch availability, timelines, and compatibility depend on your Linux distribution, package manager, and organizational deployment practices. Always verify patch status against your vendor's official security advisories before relying on version numbers cited here. No proof-of-concept code or exploitation techniques are provided. Testing in a non-production environment is strongly recommended before deploying patches to production infrastructure. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).