CVE-2026-33857PATCHED

apache software foundation · apache http server

Apache HTTP Server: Off-by-one OOB reads in AJP getter functions

Description

Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Affected Products

Vendor	Product	Versions
apache software foundation	apache http server	0

References

https://httpd.apache.org/security/vulnerabilities_24.html(vendor-advisory)

Related News (2 articles)

Tier C

oss-security4h ago

CVE-2026-33857: Apache HTTP Server: Off-by-one OOB reads in AJP getter functions

→ No new info (linked only)

Tier C

VulDB7h ago

CVE-2026-33857 | Apache HTTP Server up to 2.4.66 mod_proxy_ajp out-of-bounds

→ No new info (linked only)

CVSS 3.15.3 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

https://httpd.apache.org/security/vulnerabilities_24.html

CWECWE-125

PublishedMay 4, 2026

Last enriched6h agov2

Trending Score44

Source articles2

Independent2

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2026-34032EXP

Apache HTTP Server: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string)

Trending: 63

NONECVE-2026-24072EXP

Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr

Trending: 55

NONECVE-2026-33006EXP

Apache HTTP Server: mod_auth_digest timing attack

Trending: 51

HIGHCVE-2026-29169

Apache HTTP Server: mod_dav_lock indirect lock crash

Trending: 48

HIGHCVE-2026-34059

Apache HTTP Server: mod_proxy_ajp: Heap Over-Read and memory disclosure in ajp_parse_data()

Trending: 48

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 4, 2026

Discovered by ZDM

May 4, 2026

Updated: description, severity

May 4, 2026

Patch Available

May 4, 2026

Version History

Last enriched 6h ago

v2Tier C6h ago

Updated severity to CRITICAL, corrected exploit availability to false, and provided a more detailed description of the vulnerability.

descriptionseverity

via VulDB

v17h ago

Initial creation