Home

Description

Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

PUBLISHED Reserved 2026-03-03 | Published 2026-05-05 | Updated 2026-05-06 | Assigner apache

Problem types

CWE-122 Heap-based Buffer Overflow

Product status

Default status
unaffected

Any version
affected

Timeline

2026-02-04:reported
2026-03-18:reported by 3rd finder
2026-02-28:reported by 2nd finder

Credits

Andrew Lacambra finder

Elhanan Haenel finder

Tianshuo Han (<hantianshuo233@gmail.com>) finder

Tristan Madani finder

References

www.openwall.com/lists/oss-security/2026/05/05/9

httpd.apache.org/security/vulnerabilities_24.html vendor-advisory

cve.org (CVE-2026-28780)

nvd.nist.gov (CVE-2026-28780)

Download JSON