CVE-2026-29168
Allocation of Resources Without Limits in Apache HTTP Server mod_md
Publication date: 2026-05-05
Last updated on: 2026-05-06
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | http_server | From 2.4.30 (inc) to 2.4.67 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability involves allocation of resources without limits or throttling, which can potentially lead to resource exhaustion on the server.
This may cause denial of service conditions or degraded performance of the Apache HTTP Server when processing OCSP response data.
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade Apache HTTP Server to version 2.4.67, which fixes the Allocation of Resources Without Limits or Throttling vulnerability in mod_md via OCSP response data.
Can you explain this vulnerability to me?
This vulnerability is an Allocation of Resources Without Limits or Throttling issue in the Apache HTTP Server's mod_md module, specifically related to OCSP response data.
It affects Apache HTTP Server versions from 2.4.30 through 2.4.66 and can be fixed by upgrading to version 2.4.67.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-29168 on compliance with common standards and regulations such as GDPR or HIPAA.