CVE-2026-29169
NULL Pointer Dereference in Apache HTTP Server mod_dav_lock
Publication date: 2026-05-04
Last updated on: 2026-05-05
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | http_server | to 2.4.67 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a NULL pointer dereference in the mod_dav_lock module of Apache HTTP Server versions 2.4.66 and earlier. It may allow an attacker to crash the server by sending a malicious request. The mod_dav_lock module is not used internally by mod_dav or mod_dav_fs, and its only known use was with mod_dav_svn from Apache Subversion versions earlier than 1.2.0.
How can this vulnerability impact me? :
The primary impact of this vulnerability is that an attacker can cause a denial of service by crashing the Apache HTTP Server. This happens because the NULL pointer dereference leads to a server crash when processing a malicious request. There is no indication that this vulnerability allows data theft or modification.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are recommended to upgrade Apache HTTP Server to version 2.4.66, which fixes the issue.
Alternatively, users can remove the mod_dav_lock module from their server configuration.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.