PatchSiren cyber security CVE debrief
CVE-2026-29167 Apache CVE debrief
CVE-2026-29167 is a Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue. The CVSS score for this vulnerability is 9.8, indicating a CRITICAL severity.
- Vendor
- Apache
- Product
- HTTP Server
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-09
Who should care
Users of Apache HTTP Server with mod_ldap in per-directory configuration, particularly those using versions from 2.4.0 through 2.4.67.
Technical summary
The vulnerability is caused by a Use After Free issue in Apache HTTP Server with mod_ldap in per-directory configuration. This can be exploited by an attacker to potentially execute arbitrary code or cause a denial of service.
Defensive priority
high
Recommended defensive actions
- Upgrade to Apache HTTP Server version 2.4.68 or later.
- Refer to [ref-4](https://httpd.apache.org/security/vulnerabilities_24.html) for vendor advisory and mitigation strategies.
Evidence notes
The CVE-2026-29167 vulnerability has been analyzed and verified by official sources, including the National Vulnerability Database (NVD) and the Apache Software Foundation.
Official resources
-
CVE-2026-29167 CVE record
CVE.org
-
CVE-2026-29167 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
-
Source reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List
CVE-2026-29167 was published on 2026-06-08T16:16:37.967Z and modified on 2026-06-09T16:29:16.347Z.