CVE-2026-34032 PUBLISHED

Apache HTTP Server: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string)

Assigner: apache
Reserved: 25.03.2026 Published: 04.05.2026 Updated: 04.05.2026

Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server.

This issue affects Apache HTTP Server: through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Product Status

Vendor Apache Software Foundation
Product Apache HTTP Server
Versions Default: unaffected
  • affected from 0 to 2.4.66 (incl.)

Credits

  • Tianshuo Han (<hantianshuo233@gmail.com>) finder
  • Jérôme Djouder finder

References

Problem Types

  • CWE-170 Improper Null Termination CWE
  • CWE-125 Out-of-bounds Read CWE