CVE-2026-33857 PUBLISHED

Apache HTTP Server: Off-by-one OOB reads in AJP getter functions

Assigner: apache
Reserved: 24.03.2026 Published: 04.05.2026 Updated: 04.05.2026

Out-of-bounds Read vulnerability in mod_proxy_ajp of

Apache HTTP Server.

This issue affects Apache HTTP Server: through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Product Status

Vendor Apache Software Foundation
Product Apache HTTP Server
Versions Default: unaffected
  • affected from 0 to 2.4.66 (incl.)

Credits

  • Elhanan Haenel finder

References

Problem Types

  • CWE-125 Out-of-bounds Read CWE