CVE-2026-29169
Modified Modified - Updated After Analysis
NULL Pointer Dereference in Apache HTTP Server mod_dav_lock

Publication date: 2026-05-04

Last updated on: 2026-05-05

Assigner: Apache Software Foundation

Description
A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs. The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0. Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29169
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache http_server to 2.4.67 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability is a NULL pointer dereference in the mod_dav_lock module of Apache HTTP Server versions 2.4.66 and earlier. It may allow an attacker to crash the server by sending a malicious request. The mod_dav_lock module is not used internally by mod_dav or mod_dav_fs, and its only known use was with mod_dav_svn from Apache Subversion versions earlier than 1.2.0.

Impact Analysis

The primary impact of this vulnerability is that an attacker can cause a denial of service by crashing the Apache HTTP Server. This happens because the NULL pointer dereference leads to a server crash when processing a malicious request. There is no indication that this vulnerability allows data theft or modification.

Mitigation Strategies

To mitigate this vulnerability, users are recommended to upgrade Apache HTTP Server to version 2.4.66, which fixes the issue.

Alternatively, users can remove the mod_dav_lock module from their server configuration.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29169. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart