CVE-2026-34355 Overview
CVE-2026-34355 is a heap buffer overflow [CWE-122] in the mod_proxy_html module of Apache HTTP Server versions 2.4.67 and earlier. The flaw allows a malicious or compromised backend server to trigger memory corruption in the front-end Apache process when proxied HTML content is rewritten. Exploitation requires no authentication and can be performed over the network through crafted backend responses. The Apache HTTP Server project has released version 2.4.68 to remediate the issue.
Critical Impact
An untrusted backend can cause a buffer overflow in mod_proxy_html, leading to process crashes and denial of service against the Apache front-end server.
Affected Products
- Apache HTTP Server 2.4.67 and earlier (2.4.x branch)
- Deployments using the mod_proxy_html module for HTML link rewriting
- Reverse proxy configurations forwarding traffic to backends that can be influenced by an attacker
Discovery Timeline
- 2026-06-08 - CVE-2026-34355 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-34355
Vulnerability Analysis
The mod_proxy_html module rewrites HTML links in responses returned by backend servers when Apache acts as a reverse proxy. The module parses backend HTML and updates URLs so that links remain valid when served through the front-end. CVE-2026-34355 is a heap-based buffer overflow [CWE-122] triggered while processing backend-supplied content. An attacker who controls or compromises a backend server can return crafted HTML that exceeds buffer boundaries during rewriting. The condition results in memory corruption inside the Apache worker process, with availability impact assessed as high by NVD.
Root Cause
The root cause is insufficient bounds checking when mod_proxy_html allocates and copies HTML content received from a backend. When the parsed input exceeds the size assumptions of the destination heap buffer, adjacent memory is overwritten. Because the module operates on attacker-influenceable data from the proxied response, the boundary error is reachable without front-end authentication.
Attack Vector
Exploitation requires that Apache HTTP Server be configured as a reverse proxy with mod_proxy_html enabled and that the attacker can influence backend responses. This includes scenarios where the backend itself is compromised, where the backend mirrors user-controlled content, or where SSRF-style behavior lets an external attacker steer Apache toward a malicious origin. The attacker returns crafted HTML from the backend, which Apache parses and rewrites, triggering the overflow. The primary observed outcome is denial of service through worker process crashes.
No verified public proof-of-concept code is available at the time of writing. See the Apache HTTP Server Vulnerabilities advisory and the Openwall OSS-Security discussion for technical details.
Detection Methods for CVE-2026-34355
Indicators of Compromise
- Repeated Apache worker process crashes or segmentation faults logged in error_log while serving proxied content
- Unexpected mod_proxy_html parsing errors or abrupt connection terminations on reverse proxy hosts
- Backend responses containing abnormally large or malformed HTML structures directed at proxied endpoints
Detection Strategies
- Inventory Apache HTTP Server instances and identify versions at or below 2.4.67 with mod_proxy_html loaded via LoadModule proxy_html_module
- Review httpd.conf and virtual host configurations for ProxyHTMLEnable On directives to locate exposed proxy paths
- Correlate worker crash events with backend response sizes and content types to identify suspicious origins
Monitoring Recommendations
- Monitor Apache error_log and system journal for child pid ... exit signal Segmentation fault events tied to proxy requests
- Alert on outbound proxy connections to unexpected or newly observed backend hosts
- Track frequency of mod_proxy_html processing failures over time to detect probing or active exploitation attempts
How to Mitigate CVE-2026-34355
Immediate Actions Required
- Upgrade Apache HTTP Server to version 2.4.68 or later on all reverse proxy hosts running mod_proxy_html
- Restrict reverse proxy backends to trusted, hardened origins and validate any user-influenced backend routing
- Audit upstream applications for content-reflection paths that could let external attackers steer HTML responses through the proxy
Patch Information
The Apache HTTP Server project addressed CVE-2026-34355 in version 2.4.68. Operators should download the fixed release from the Apache HTTP Server Vulnerabilities advisory page or apply the corresponding distribution package update. After patching, restart the httpd service and confirm the running version with httpd -v.
Workarounds
- Disable mod_proxy_html until the upgrade is complete by commenting out the LoadModule proxy_html_module directive
- Remove ProxyHTMLEnable On from virtual hosts where HTML rewriting is not required
- Place a strict content-size and content-type filter in front of backend responses to limit attacker-controlled HTML reaching the module
# Verify installed Apache version
httpd -v
# Temporarily disable mod_proxy_html on Debian/Ubuntu until patched
sudo a2dismod proxy_html
sudo systemctl restart apache2
# After upgrade, confirm version is 2.4.68 or later
apt-get update && apt-get install --only-upgrade apache2
httpd -v
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

