CVE-2026-44631

Analyzed Analyzed - Analysis Complete

Buffer Underwrite in Apache HTTP Server

Publication date: 2026-06-08

Last updated on: 2026-06-11

Assigner: Apache Software Foundation

Description

Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-08

Last Modified

2026-06-11

Generated

2026-06-29

AI Q&A

2026-06-08

EPSS Evaluated

2026-06-27

NVD

CVE-2026-44631

EUVD

EUVD-2026-35095

Affected Vendors & Products

Vendor	Product	Version / Range
apache	http_server	From 2.4.0 (inc) to 2.4.68 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-124	The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.

Attack-Flow Graph

Executive Summary

This vulnerability is a Buffer Underwrite issue found in the Apache HTTP Server. It occurs when the server processes crafted regular expressions in its configuration, which can lead to memory being written outside the intended buffer boundaries.

The affected versions are Apache HTTP Server from 2.4.0 through 2.4.67. The issue is resolved in version 2.4.68.

Impact Analysis

A Buffer Underwrite vulnerability can lead to unpredictable behavior such as application crashes, data corruption, or potentially allow an attacker to execute arbitrary code. This can compromise the stability and security of the Apache HTTP Server.

Mitigation Strategies

Users are recommended to upgrade Apache HTTP Server to version 2.4.68, which fixes the buffer underwrite vulnerability caused by crafted regular expressions in the configuration.

Hi! I’m here to help you understand CVE-2026-44631. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70