Zero Day MonitorZDM

← Back to list

7.5

CVE-2026-29169PATCHED

Apache Software Foundation · Apache HTTP Server

Apache HTTP Server: mod_dav_lock indirect lock crash

Description

A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs. The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0. Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock.

Affected Products

Vendor	Product	Versions
Apache Software Foundation	Apache HTTP Server	0

References

https://httpd.apache.org/security/vulnerabilities_24.html(vendor-advisory)

Related News (2 articles)

Tier C

oss-security4h ago

CVE-2026-29169: Apache HTTP Server: mod_dav_lock indirect lock crash

→ No new info (linked only)

Tier C

VulDB5h ago

CVE-2026-29169 | Apache HTTP Server up to 2.4.66 mod_dav_lock/mod_dav_svn null pointer dereference

→ No new info (linked only)

CVSS 3.17.5 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

https://httpd.apache.org/security/vulnerabilities_24.html

CWECWE-476

PublishedMay 4, 2026

Last enriched5h agov2

Trending Score48

Source articles2

Independent2

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2026-34032EXP

Apache HTTP Server: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string)

NONECVE-2026-24072EXP

Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr

NONECVE-2026-33006EXP

Apache HTTP Server: mod_auth_digest timing attack

HIGHCVE-2026-34059

Apache HTTP Server: mod_proxy_ajp: Heap Over-Read and memory disclosure in ajp_parse_data()

MEDIUMCVE-2026-33857

Apache HTTP Server: Off-by-one OOB reads in AJP getter functions

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 4, 2026

Discovered by ZDM

May 4, 2026

Updated: cvssEstimate

May 4, 2026

Patch Available

May 4, 2026

Version History

v2

Last enriched 5h ago

v2Tier C5h ago

Updated description with new details, changed severity to HIGH, set CVSS estimate to 7.5, and marked the vulnerability as actively exploited.

cvssEstimate

via VulDB

v15h ago

Initial creation