CVE-2026-29168 Overview
CVE-2026-29168 is a resource exhaustion vulnerability in Apache HTTP Server's mod_md module. The flaw stems from improper handling of Online Certificate Status Protocol (OCSP) response data, which allows allocation of resources without limits or throttling [CWE-770]. Apache HTTP Server versions from 2.4.30 through 2.4.66 are affected. The Apache HTTP Server Project has released version 2.4.67 to address the issue. The vulnerability is exploitable over the network without authentication or user interaction, making vulnerable web servers susceptible to denial-of-service conditions through crafted OCSP responses.
Critical Impact
Remote attackers can trigger uncontrolled resource consumption in Apache HTTP Server instances using mod_md, degrading availability and potentially impacting confidentiality and integrity of certificate management operations.
Affected Products
- Apache HTTP Server 2.4.30 through 2.4.66
- Apache HTTP Server deployments using the mod_md module for ACME certificate management
- Web servers configured to fetch and process OCSP responses through mod_md
Discovery Timeline
- 2026-05-05 - CVE-2026-29168 published to the National Vulnerability Database
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-29168
Vulnerability Analysis
The vulnerability resides in mod_md, the Apache module responsible for managing Automatic Certificate Management Environment (ACME) protocol operations and certificate lifecycle tasks. When mod_md processes OCSP response data fetched from certificate authorities, it does not enforce limits on the resources allocated during parsing and storage. An attacker who can influence the OCSP response, either by responding as a malicious OCSP responder or through a man-in-the-middle position, can supply data that causes the server to allocate excessive memory or processing resources.
The attack does not require authentication or user interaction. Successful exploitation can degrade server performance, exhaust available memory, or render the Apache HTTP Server unable to service legitimate requests. The issue affects all releases from 2.4.30 through 2.4.66, covering a wide range of production deployments.
Root Cause
The root cause is the absence of bounds checking and throttling controls when mod_md ingests OCSP response data. The module trusts the size and structure of OCSP responses without applying upper limits, falling under [CWE-770] Allocation of Resources Without Limits or Throttling.
Attack Vector
Exploitation occurs over the network. An attacker positioned to deliver crafted OCSP responses to a vulnerable Apache HTTP Server triggers the resource allocation flaw during certificate validation operations performed by mod_md.
No verified public exploit code is available at this time. Refer to the Apache HTTPD Vulnerabilities List for technical details from the vendor.
Detection Methods for CVE-2026-29168
Indicators of Compromise
- Sudden spikes in Apache HTTP Server memory consumption coinciding with OCSP refresh intervals
- Unexpected httpd or mod_md worker process restarts under low request load
- Anomalous outbound connections from Apache hosts to unfamiliar OCSP responder endpoints
Detection Strategies
- Inventory all Apache HTTP Server installations and identify versions in the 2.4.30 through 2.4.66 range with mod_md enabled
- Audit httpd.conf and module configuration files for MDomain, MDCertificateAuthority, and OCSP stapling directives that activate mod_md OCSP handling
- Monitor process-level metrics for httpd workers, alerting on resource consumption that exceeds historical baselines
Monitoring Recommendations
- Capture and inspect OCSP response sizes and source IP addresses at the network egress layer
- Forward Apache error_log and mod_md diagnostic logs to a centralized logging platform for correlation
- Track availability metrics for hosted virtual hosts to detect service degradation linked to certificate refresh cycles
How to Mitigate CVE-2026-29168
Immediate Actions Required
- Upgrade Apache HTTP Server to version 2.4.67 or later, which contains the fix from the Apache HTTP Server Project
- Identify systems running affected versions with httpd -v and confirm whether mod_md is loaded using httpd -M | grep md
- Restrict outbound network access from Apache hosts to known, trusted OCSP responder endpoints only
Patch Information
The Apache HTTP Server Project resolved CVE-2026-29168 in version 2.4.67. Administrators should plan immediate upgrades for any deployment using mod_md on versions 2.4.30 through 2.4.66. See the Apache HTTPD Vulnerabilities List and the Openwall OSS-Security Discussion for additional context.
Workarounds
- Disable mod_md by commenting out the LoadModule md_module directive if ACME-managed certificates are not required
- Disable OCSP stapling features within mod_md by removing MDStapling on directives until patching is complete
- Apply network-level filtering to constrain OCSP traffic to vetted certificate authority responders
# Verify Apache version and mod_md status before patching
httpd -v
httpd -M | grep md_module
# Temporarily disable mod_md OCSP stapling in httpd.conf
# MDStapling on
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
