PatchSiren cyber security CVE debrief
CVE-2026-59173 Apache Software Foundation CVE debrief
CVE-2026-59173 is an Uncontrolled Resource Consumption vulnerability in Apache Traffic Server. The issue affects Apache Traffic Server versions from 9.0.0 through 9.1.13 and from 10.0.0 through 10.1.2. Users are recommended to upgrade to version 9.1.14 or 10.1.3, which fixes the issue. This vulnerability can lead to resource exhaustion, potentially causing performance issues or crashes. Affected users should review their deployments and plan for an upgrade.
- Vendor
- Apache Software Foundation
- Product
- Apache Traffic Server
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-18
- Original CVE updated
- 2026-07-18
- Advisory published
- 2026-07-18
- Advisory updated
- 2026-07-18
Who should care
Users of Apache Traffic Server versions 9.0.0 through 9.1.13 and 10.0.0 through 10.1.2 should upgrade to version 9.1.14 or 10.1.3. This includes administrators, security teams, and operators responsible for maintaining and securing Apache Traffic Server deployments. They should review their inventory of affected versions and plan for the necessary upgrades.
Technical summary
The CVE-2026-59173 vulnerability is an Uncontrolled Resource Consumption issue in Apache Traffic Server. This vulnerability affects versions from 9.0.0 through 9.1.13 and from 10.0.0 through 10.1.2. The recommended fix is to upgrade to version 9.1.14 or 10.1.3. The vulnerability can cause the server to consume excessive resources, leading to potential performance degradation or service disruption.
Defensive priority
Medium
Recommended defensive actions
- Upgrade Apache Traffic Server to version 9.1.14 or 10.1.3
- Review and update inventory of Apache Traffic Server instances
- Monitor for potential exploitation attempts
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-18T13:17:06.150Z and was last modified on 2026-07-18T14:17:12.077Z. The NVD entry is currently Received. The vulnerability affects Apache Traffic Server versions from 9.0.0 through 9.1.13 and from 10.0.0 through 10.1.2. Users are recommended to upgrade to version 9.1.14 or 10.1.3. Evidence is limited to CVE and NVD details.
Official resources
-
CVE-2026-59173 CVE record
CVE.org
-
CVE-2026-59173 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-18T13:17:06.150Z and has not been modified since then. The NVD entry is currently Received.