Packages
- apache2 - Apache HTTP server
Details
Bartlomiej Dmitruk and Stanislaw Strzalkowski discovered that Apache
HTTP Server incorrectly handled certain memory operations when using the
HTTP/2 protocol. A remote attacker could use this issue to cause Apache
HTTP Server to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 26.04 LTS.
(CVE-2026-23918)
It was discovered that the Apache HTTP Server mod_rewrite module
incorrectly handled certain privileges. A local attacker could possibly use
this issue to obtain sensitive information. (CVE-2026-24072)
Andrew Lacambra, Elhanan Haenel, Tianshuo Han, and Tristan Madani
discovered that the Apache HTTP Server mod_proxy_ajp module incorrectly
handled certain AJP server messages. An attacker in control of a backend
AJP server could use this issue to cause Apache HTTP Server to...
Bartlomiej Dmitruk and Stanislaw Strzalkowski discovered that Apache
HTTP Server incorrectly handled certain memory operations when using the
HTTP/2 protocol. A remote attacker could use this issue to cause Apache
HTTP Server to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 26.04 LTS.
(CVE-2026-23918)
It was discovered that the Apache HTTP Server mod_rewrite module
incorrectly handled certain privileges. A local attacker could possibly use
this issue to obtain sensitive information. (CVE-2026-24072)
Andrew Lacambra, Elhanan Haenel, Tianshuo Han, and Tristan Madani
discovered that the Apache HTTP Server mod_proxy_ajp module incorrectly
handled certain AJP server messages. An attacker in control of a backend
AJP server could use this issue to cause Apache HTTP Server to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2026-28780)
Pavel Kohout discovered that Apache HTTP Server did not properly limit
resource allocation in mod_md when processing OCSP response data. A
remote attacker could possibly use this issue to cause a denial of
service. (CVE-2026-29168)
Pavel Kohout discovered that the Apache HTTP Server incorrectly handled
certain memory operations in mod_dav_lock. A remote attacker could possibly
use this issue to cause Apache HTTP Server to crash, resulting in a denial
of service. (CVE-2026-29169)
Nitescu Lucian discovered that Apache HTTP Server had a timing attack
vulnerability in mod_auth_digest. A remote attacker could possibly
use this issue to bypass Digest authentication. (CVE-2026-33006)
Pavel Kohout and Arkadi Vainbrand discovered that Apache HTTP Server
incorrectly handled certain memory operations in mod_authn_socache. A
remote attacker could possibly use this issue to cause Apache HTTP Server
to crash, resulting in a denial of service. (CVE-2026-33007)
Haruki Oyama, Merih Mengisteab, and Dawit Jeong discovered that
Apache HTTP Server had an HTTP response splitting vulnerability in
multiple modules when used with untrusted or compromised backend
servers. An attacker could possibly use this issue to inject arbitrary
HTTP headers. (CVE-2026-33523)
Elhanan Haenel discovered that Apache HTTP Server incorrectly handled
certain memory operations in mod_proxy_ajp. A remote attacker could
possibly use this issue to cause Apache HTTP Server to crash, resulting in
a denial of service. (CVE-2026-33857)
Tianshuo Han and Jérôme Djouder discovered that Apache HTTP Server
incorrectly handled certain string operations in mod_proxy_ajp. A remote
attacker could possibly use this issue to obtain sensitive information.
(CVE-2026-34032)
Elhanan Haenel discovered that Apache HTTP Server incorrectly handled
certain memory operations in mod_proxy_ajp. A remote attacker could use
this issue to cause Apache HTTP Server to crash, resulting in a denial of
service, or possibly obtain sensitive information. (CVE-2026-34059)
Update instructions
In general, a standard system update will make all the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
| Ubuntu Release | Package Version | ||
|---|---|---|---|
| 26.04 LTS resolute | apache2 – 2.4.66-2ubuntu2.1 | ||
| 25.10 questing | apache2 – 2.4.64-1ubuntu3.4 | ||
| 24.04 LTS noble | apache2 – 2.4.58-1ubuntu8.12 | ||
| 22.04 LTS jammy | apache2 – 2.4.52-1ubuntu4.20 | ||
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.
References
- CVE-2026-34059
- CVE-2026-34032
- CVE-2026-33857
- CVE-2026-33523
- CVE-2026-33007
- CVE-2026-33006
- CVE-2026-29169
- CVE-2026-29168
- CVE-2026-28780
- CVE-2026-24072
- CVE-2026-34059
- CVE-2026-34032
- CVE-2026-33857
- CVE-2026-33523
- CVE-2026-33007
- CVE-2026-33006
- CVE-2026-29169
- CVE-2026-29168
- CVE-2026-28780
- CVE-2026-24072
- CVE-2026-23918