PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59173 Apache Software Foundation CVE debrief

CVE-2026-59173 is an Uncontrolled Resource Consumption vulnerability in Apache Traffic Server. The issue affects Apache Traffic Server versions from 9.0.0 through 9.1.13 and from 10.0.0 through 10.1.2. Users are recommended to upgrade to version 9.1.14 or 10.1.3, which fixes the issue. This vulnerability can lead to resource exhaustion, potentially causing performance issues or crashes. Affected users should review their deployments and plan for an upgrade.

Vendor
Apache Software Foundation
Product
Apache Traffic Server
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-18
Original CVE updated
2026-07-18
Advisory published
2026-07-18
Advisory updated
2026-07-18

Who should care

Users of Apache Traffic Server versions 9.0.0 through 9.1.13 and 10.0.0 through 10.1.2 should upgrade to version 9.1.14 or 10.1.3. This includes administrators, security teams, and operators responsible for maintaining and securing Apache Traffic Server deployments. They should review their inventory of affected versions and plan for the necessary upgrades.

Technical summary

The CVE-2026-59173 vulnerability is an Uncontrolled Resource Consumption issue in Apache Traffic Server. This vulnerability affects versions from 9.0.0 through 9.1.13 and from 10.0.0 through 10.1.2. The recommended fix is to upgrade to version 9.1.14 or 10.1.3. The vulnerability can cause the server to consume excessive resources, leading to potential performance degradation or service disruption.

Defensive priority

Medium

Recommended defensive actions

  • Upgrade Apache Traffic Server to version 9.1.14 or 10.1.3
  • Review and update inventory of Apache Traffic Server instances
  • Monitor for potential exploitation attempts
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-18T13:17:06.150Z and was last modified on 2026-07-18T14:17:12.077Z. The NVD entry is currently Received. The vulnerability affects Apache Traffic Server versions from 9.0.0 through 9.1.13 and from 10.0.0 through 10.1.2. Users are recommended to upgrade to version 9.1.14 or 10.1.3. Evidence is limited to CVE and NVD details.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-18T13:17:06.150Z and has not been modified since then. The NVD entry is currently Received.