Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-34356

CVE-2026-34356: Apache HTTP Server Buffer Overflow Flaw

CVE-2026-34356 is a heap-based buffer overflow vulnerability in Apache HTTP Server affecting versions 2.4.0 through 2.4.67. This critical flaw exploits ProxyPassReverseCookie with malicious backends. Learn the technical details, impact, and mitigation.

Published:

CVE-2026-34356 Overview

CVE-2026-34356 is a heap-based buffer overflow [CWE-122] in Apache HTTP Server affecting the ProxyPassReverseCookie* directives. The flaw is triggered when httpd processes responses from a malicious or compromised backend server. Affected versions include Apache HTTP Server 2.4.0 through 2.4.67. The Apache HTTP Server Project released version 2.4.68 to address the issue.

The vulnerability is network-reachable, requires no authentication, and does not require user interaction. Successful exploitation impacts availability by causing the httpd process to crash through heap corruption.

Critical Impact

A malicious backend can send crafted Set-Cookie headers that overflow heap memory in the Apache reverse proxy, resulting in denial of service against the front-end web server.

Affected Products

  • Apache HTTP Server 2.4.0 through 2.4.67
  • Deployments using mod_proxy with ProxyPassReverseCookieDomain directives
  • Deployments using mod_proxy with ProxyPassReverseCookiePath directives

Discovery Timeline

  • 2026-06-08 - CVE-2026-34356 published to NVD
  • 2026-06-09 - Last updated in NVD database

Technical Details for CVE-2026-34356

Vulnerability Analysis

The vulnerability resides in Apache HTTP Server's mod_proxy_http cookie rewriting logic. The ProxyPassReverseCookieDomain and ProxyPassReverseCookiePath directives rewrite Domain= and Path= attributes in Set-Cookie response headers returned by backend servers. When httpd parses an attacker-controlled cookie header, the rewrite routine miscalculates heap buffer boundaries while substituting attribute values, producing an out-of-bounds write on the heap.

Because the rewrite happens on the front-end proxy after the response is received, the attack surface exists wherever httpd proxies traffic from a host an attacker controls. Cloud architectures that proxy to internal microservices, partner-operated APIs, or upstream applications running untrusted code are exposed. The impact is limited to availability, as the corruption crashes the worker process rather than allowing controlled code execution under typical hardening.

Root Cause

The root cause is improper bounds checking during string substitution in the cookie attribute rewrite path. The handler allocates a heap buffer sized against the original cookie header but writes the rewritten value without revalidating length when the replacement attribute is longer than the source. This produces a classic heap-based buffer overflow [CWE-122].

Attack Vector

An attacker controls or compromises a backend application server that an Apache httpd reverse proxy is configured to forward to. The attacker returns an HTTP response containing a crafted Set-Cookie header with Domain or Path values designed to overflow the rewrite buffer once ProxyPassReverseCookieDomain or ProxyPassReverseCookiePath processes it. The exploitation occurs server-side on the proxy with no client interaction.

No public proof-of-concept code is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Apache HTTP Server Vulnerabilities advisory and the Openwall OSS-Security disclosure for protocol-level detail.

Detection Methods for CVE-2026-34356

Indicators of Compromise

  • Unexpected httpd worker segmentation faults or core dumps logged in system journals after proxying upstream responses.
  • Apache error_log entries indicating child process termination signals correlated with proxied requests.
  • Anomalous Set-Cookie headers from backends containing oversized Domain= or Path= attribute values.

Detection Strategies

  • Inventory all httpd instances and confirm the running version with httpd -v; flag any build between 2.4.0 and 2.4.67.
  • Audit configuration files for ProxyPassReverseCookieDomain and ProxyPassReverseCookiePath directives to identify exposed proxies.
  • Inspect proxied response traffic for malformed cookie attributes using a web application firewall or reverse proxy log analysis.

Monitoring Recommendations

  • Forward httpd access and error logs to a centralized analytics platform and alert on repeated worker crashes.
  • Monitor backend-to-proxy HTTP responses for unusual Set-Cookie header sizes that exceed expected application norms.
  • Track Apache process restart frequency and correlate spikes with upstream backend activity.

How to Mitigate CVE-2026-34356

Immediate Actions Required

  • Upgrade Apache HTTP Server to version 2.4.68 or later on all affected hosts.
  • Identify and isolate any backend servers that are not fully trusted or that run untrusted tenant code.
  • Restart httpd after upgrading to ensure all worker processes load the patched binary.

Patch Information

The Apache HTTP Server Project fixed the heap-based buffer overflow in version 2.4.68. Upgrade guidance and release notes are published on the Apache HTTP Server security page. Downstream Linux distribution packages should be updated through standard package managers once vendors ship the corresponding backport.

Workarounds

  • Temporarily remove or comment out ProxyPassReverseCookieDomain and ProxyPassReverseCookiePath directives until patching is complete.
  • Restrict reverse proxy configurations so that httpd only forwards to backends under direct administrative control.
  • Deploy a web application firewall rule that strips or normalizes oversized Domain= and Path= attributes in upstream Set-Cookie headers.
bash
# Verify installed Apache version and locate vulnerable directives
httpd -v
grep -RniE 'ProxyPassReverseCookie(Domain|Path)' /etc/httpd/ /etc/apache2/

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.