CVE-2026-29169 Overview
CVE-2026-29169 is a NULL pointer dereference vulnerability [CWE-476] in the mod_dav_lock module of Apache HTTP Server versions 2.4.66 and earlier. A remote attacker can crash the server by sending a malicious HTTP request to a server with mod_dav_lock enabled. The flaw affects availability only and does not expose data or allow code execution.
The mod_dav_lock module is not used internally by mod_dav or mod_dav_fs. Its only known consumer was mod_dav_svn from Apache Subversion releases earlier than 1.2.0. The Apache HTTP Server project recommends upgrading to version 2.4.66 or removing mod_dav_lock from the server configuration.
Critical Impact
Unauthenticated remote attackers can trigger a server crash with a single crafted request, producing a denial-of-service condition against any Apache HTTP Server instance loading mod_dav_lock.
Affected Products
- Apache HTTP Server 2.4.66 and earlier (when mod_dav_lock is loaded)
- Deployments using Apache Subversion mod_dav_svn versions earlier than 1.2.0
- Any Apache HTTP Server configuration that enables mod_dav_lock for WebDAV locking
Discovery Timeline
- 2026-05-04 - CVE-2026-29169 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-29169
Vulnerability Analysis
The vulnerability resides in mod_dav_lock, the Apache HTTP Server module that implements generic WebDAV locking on behalf of DAV providers. When the module processes a malicious request, an internal pointer remains uninitialized or unset before being dereferenced. The dereference occurs inside the worker process and aborts the request handler, terminating the process serving the connection.
Because mod_dav_lock is reachable over the network through standard HTTP request processing, the attack requires no authentication and no user interaction. Repeated requests can keep the affected workers in a crash loop, exhausting the server's capacity to serve legitimate clients. The flaw does not impact confidentiality or integrity, but it directly degrades availability.
Root Cause
The root cause is a missing NULL check on a pointer used during WebDAV lock processing inside mod_dav_lock. The module assumes that a structure populated earlier in the request lifecycle is always present. Specially crafted input bypasses that assumption and reaches the dereference path with a NULL pointer, triggering a segmentation fault.
Attack Vector
An unauthenticated attacker sends a malicious WebDAV request over the network to an Apache HTTP Server instance that loads mod_dav_lock. The request reaches the lock-handling code path before validation completes, the dereference fires, and the worker process crashes. No special tooling, credentials, or local access is required. The vulnerability is described in prose only because no public proof-of-concept is available; refer to the Apache HTTPD Vulnerabilities List for upstream technical context.
Detection Methods for CVE-2026-29169
Indicators of Compromise
- Apache error_log entries showing segmentation faults or child pid ... exit signal Segmentation fault (11) messages tied to WebDAV request handlers.
- Sudden spikes in worker process restarts on hosts running mod_dav_lock without a corresponding configuration change.
- Inbound HTTP requests using WebDAV methods such as LOCK, UNLOCK, PROPFIND, or MKCOL from unexpected sources.
Detection Strategies
- Inventory loaded Apache modules with apachectl -M and flag any host that lists dav_lock_module as active.
- Correlate worker crash events in error_log with access log entries from the same timeframe to identify the triggering request.
- Alert on repeated 5xx responses or connection resets from URLs that map to WebDAV-enabled locations.
Monitoring Recommendations
- Forward Apache access_log and error_log to a centralized logging platform and build dashboards for WebDAV method volume and worker crash frequency.
- Monitor process supervision counters (systemd, supervisord) for abnormal Apache child restart rates.
- Track HTTP method distribution at the network edge to detect WebDAV traffic against servers that should not expose DAV.
How to Mitigate CVE-2026-29169
Immediate Actions Required
- Upgrade Apache HTTP Server to version 2.4.66 or later on every host that loads mod_dav_lock.
- If an immediate upgrade is not possible, disable mod_dav_lock by removing or commenting out its LoadModule directive and restarting Apache.
- Audit Subversion deployments and upgrade any mod_dav_svn instance older than 1.2.0, since that is the only known consumer of mod_dav_lock.
Patch Information
The Apache HTTP Server project fixed the NULL pointer dereference in version 2.4.66. Administrators should consult the Apache HTTPD Vulnerabilities List and the OpenWall OSS-Security announcement for upstream details, then apply vendor-supplied packages from their Linux distribution as soon as they become available.
Workarounds
- Remove the LoadModule dav_lock_module directive from httpd.conf if WebDAV locking is not required.
- Restrict access to WebDAV-enabled paths using Require directives, IP allowlists, or upstream reverse proxy rules until patching is complete.
- Block WebDAV HTTP methods (LOCK, UNLOCK, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE) at the web application firewall for hosts that do not need DAV functionality.
# Disable mod_dav_lock until patching is complete
# Debian/Ubuntu
sudo a2dismod dav_lock
sudo systemctl restart apache2
# RHEL/CentOS - comment out the LoadModule line
sudo sed -i 's|^LoadModule dav_lock_module|#LoadModule dav_lock_module|' \
/etc/httpd/conf.modules.d/00-dav.conf
sudo systemctl restart httpd
# Verify the module is no longer loaded
apachectl -M | grep -i dav_lock
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
