USN-8516-1: Apache HTTP Server vulnerabilities

Publication date

8 July 2026

Overview

Several security issues were fixed in Apache HTTP Server.


Packages

Details

It was discovered that Apache HTTP Server's mod_ldap module incorrectly
handled memory when processing per-directory configurations. An attacker
could use this issue to cause the server to crash, resulting in a denial of
service, or possibly execute arbitrary code. (CVE-2026-29167)

It was discovered that Apache HTTP Server's mod_proxy_ftp module
incorrectly handled HTML generation for FTP directory listings. A remote
attacker could possibly use this issue to inject arbitrary web script or
HTML. (CVE-2026-29170)

It was discovered that Apache HTTP Server's mod_proxy_html module
incorrectly handled certain content from an untrusted backend. A remote
attacker could possibly use this issue to cause Apache HTTP Server to
crash, resulting in a denial of service. (CVE-2026-34355)

It was discovered that Apache HTTP...

It was discovered that Apache HTTP Server's mod_ldap module incorrectly
handled memory when processing per-directory configurations. An attacker
could use this issue to cause the server to crash, resulting in a denial of
service, or possibly execute arbitrary code. (CVE-2026-29167)

It was discovered that Apache HTTP Server's mod_proxy_ftp module
incorrectly handled HTML generation for FTP directory listings. A remote
attacker could possibly use this issue to inject arbitrary web script or
HTML. (CVE-2026-29170)

It was discovered that Apache HTTP Server's mod_proxy_html module
incorrectly handled certain content from an untrusted backend. A remote
attacker could possibly use this issue to cause Apache HTTP Server to
crash, resulting in a denial of service. (CVE-2026-34355)

It was discovered that Apache HTTP Server incorrectly handled
ProxyPassReverseCookie directives with a malicious backend server. A remote
attacker could possibly use this issue to cause Apache HTTP Server to
crash, resulting in a denial of service. (CVE-2026-34356)

It was discovered that Apache HTTP Server's mod_dav_fs module incorrectly
handled certain path operations. An authenticated user could possibly use
this issue to manipulate trusted WebDAV property databases or cause a
denial of service. (CVE-2026-42535)

It was discovered that Apache HTTP Server's mod_xml2enc module incorrectly
handled certain content from an untrusted backend. A remote attacker could
possibly use this issue to cause Apache HTTP Server to crash, resulting in
a denial of service. (CVE-2026-42536)

It was discovered that Apache HTTP Server incorrectly handled response
headers when multiple content languages were configured. A remote attacker
could possibly use this issue to obtain sensitive information.
(CVE-2026-43951)

It was discovered that Apache HTTP Server incorrectly restricted certain
file functions in expressions within .htaccess files. A local attacker with
.htaccess write access could possibly use this issue to obtain sensitive
information. (CVE-2026-44119)

It was discovered that Apache HTTP Server's mod_ssl module incorrectly
handled OCSP responses from an attacker-controlled server. A remote
attacker could possibly use this issue to obtain sensitive information or
cause a denial of service. (CVE-2026-44185)

It was discovered that Apache HTTP Server's mod_proxy_ftp module
incorrectly handled responses from an attacker-controlled backend FTP
server. A remote attacker could possibly use this issue to cause Apache
HTTP Server to stop responding, resulting in a denial of service.
(CVE-2026-44186)

It was discovered that Apache HTTP Server incorrectly handled crafted
regular expressions in the server configuration. An attacker could possibly
use this issue to execute arbitrary code or cause a denial of service.
(CVE-2026-44631)

It was discovered that Apache HTTP Server's mod_http2 module had a
use-after-free vulnerability when file handles were exhausted. A remote
attacker could possibly use this issue to cause Apache HTTP Server to
crash, resulting in a denial of service. (CVE-2026-48913)


Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
26.04 LTS resolute apache2 –  2.4.66-2ubuntu2.4
24.04 LTS noble apache2 –  2.4.58-1ubuntu8.15
22.04 LTS jammy apache2 –  2.4.52-1ubuntu4.23

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.


Have additional questions?

Talk to a member of the team ›