Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-34355

CVE-2026-34355: Apache HTTP Server Buffer Overflow Flaw

CVE-2026-34355 is a buffer overflow flaw in Apache HTTP Server's mod_proxy_html module that can be exploited by untrusted backends. This article covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2026-34355 Overview

CVE-2026-34355 is a heap buffer overflow [CWE-122] in the mod_proxy_html module of Apache HTTP Server versions 2.4.67 and earlier. The flaw allows a malicious or compromised backend server to trigger memory corruption in the front-end Apache process when proxied HTML content is rewritten. Exploitation requires no authentication and can be performed over the network through crafted backend responses. The Apache HTTP Server project has released version 2.4.68 to remediate the issue.

Critical Impact

An untrusted backend can cause a buffer overflow in mod_proxy_html, leading to process crashes and denial of service against the Apache front-end server.

Affected Products

  • Apache HTTP Server 2.4.67 and earlier (2.4.x branch)
  • Deployments using the mod_proxy_html module for HTML link rewriting
  • Reverse proxy configurations forwarding traffic to backends that can be influenced by an attacker

Discovery Timeline

  • 2026-06-08 - CVE-2026-34355 published to NVD
  • 2026-06-09 - Last updated in NVD database

Technical Details for CVE-2026-34355

Vulnerability Analysis

The mod_proxy_html module rewrites HTML links in responses returned by backend servers when Apache acts as a reverse proxy. The module parses backend HTML and updates URLs so that links remain valid when served through the front-end. CVE-2026-34355 is a heap-based buffer overflow [CWE-122] triggered while processing backend-supplied content. An attacker who controls or compromises a backend server can return crafted HTML that exceeds buffer boundaries during rewriting. The condition results in memory corruption inside the Apache worker process, with availability impact assessed as high by NVD.

Root Cause

The root cause is insufficient bounds checking when mod_proxy_html allocates and copies HTML content received from a backend. When the parsed input exceeds the size assumptions of the destination heap buffer, adjacent memory is overwritten. Because the module operates on attacker-influenceable data from the proxied response, the boundary error is reachable without front-end authentication.

Attack Vector

Exploitation requires that Apache HTTP Server be configured as a reverse proxy with mod_proxy_html enabled and that the attacker can influence backend responses. This includes scenarios where the backend itself is compromised, where the backend mirrors user-controlled content, or where SSRF-style behavior lets an external attacker steer Apache toward a malicious origin. The attacker returns crafted HTML from the backend, which Apache parses and rewrites, triggering the overflow. The primary observed outcome is denial of service through worker process crashes.

No verified public proof-of-concept code is available at the time of writing. See the Apache HTTP Server Vulnerabilities advisory and the Openwall OSS-Security discussion for technical details.

Detection Methods for CVE-2026-34355

Indicators of Compromise

  • Repeated Apache worker process crashes or segmentation faults logged in error_log while serving proxied content
  • Unexpected mod_proxy_html parsing errors or abrupt connection terminations on reverse proxy hosts
  • Backend responses containing abnormally large or malformed HTML structures directed at proxied endpoints

Detection Strategies

  • Inventory Apache HTTP Server instances and identify versions at or below 2.4.67 with mod_proxy_html loaded via LoadModule proxy_html_module
  • Review httpd.conf and virtual host configurations for ProxyHTMLEnable On directives to locate exposed proxy paths
  • Correlate worker crash events with backend response sizes and content types to identify suspicious origins

Monitoring Recommendations

  • Monitor Apache error_log and system journal for child pid ... exit signal Segmentation fault events tied to proxy requests
  • Alert on outbound proxy connections to unexpected or newly observed backend hosts
  • Track frequency of mod_proxy_html processing failures over time to detect probing or active exploitation attempts

How to Mitigate CVE-2026-34355

Immediate Actions Required

  • Upgrade Apache HTTP Server to version 2.4.68 or later on all reverse proxy hosts running mod_proxy_html
  • Restrict reverse proxy backends to trusted, hardened origins and validate any user-influenced backend routing
  • Audit upstream applications for content-reflection paths that could let external attackers steer HTML responses through the proxy

Patch Information

The Apache HTTP Server project addressed CVE-2026-34355 in version 2.4.68. Operators should download the fixed release from the Apache HTTP Server Vulnerabilities advisory page or apply the corresponding distribution package update. After patching, restart the httpd service and confirm the running version with httpd -v.

Workarounds

  • Disable mod_proxy_html until the upgrade is complete by commenting out the LoadModule proxy_html_module directive
  • Remove ProxyHTMLEnable On from virtual hosts where HTML rewriting is not required
  • Place a strict content-size and content-type filter in front of backend responses to limit attacker-controlled HTML reaching the module
bash
# Verify installed Apache version
httpd -v

# Temporarily disable mod_proxy_html on Debian/Ubuntu until patched
sudo a2dismod proxy_html
sudo systemctl restart apache2

# After upgrade, confirm version is 2.4.68 or later
apt-get update && apt-get install --only-upgrade apache2
httpd -v

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.