CVE-2026-34032EXPLOITEDPATCHED

apache software foundation · apache http server

Apache HTTP Server: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string)

Description

Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Affected Products

Vendor	Product	Versions
apache software foundation	apache http server	0

References

https://httpd.apache.org/security/vulnerabilities_24.html(vendor-advisory)

Related News (2 articles)

Tier C

oss-security3h ago

CVE-2026-34032: Apache HTTP Server: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string)

→ No new info (linked only)

Tier C

VulDB5h ago

CVE-2026-34032 | Apache HTTP Server up to 2.4.66 null termination

→ No new info (linked only)

CVSS 3.15.3 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

https://httpd.apache.org/security/vulnerabilities_24.html

CWECWE-170, CWE-125

PublishedMay 4, 2026

Last enriched4h agov2

Trending Score64

Source articles2

Independent2

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-24072EXP

Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr

Trending: 51

NONECVE-2026-33006EXP

Apache HTTP Server: mod_auth_digest timing attack

Trending: 51

HIGHCVE-2026-29169

Apache HTTP Server: mod_dav_lock indirect lock crash

Trending: 48

HIGHCVE-2026-34059

Apache HTTP Server: mod_proxy_ajp: Heap Over-Read and memory disclosure in ajp_parse_data()

Trending: 48

MEDIUMCVE-2026-33857

Apache HTTP Server: Off-by-one OOB reads in AJP getter functions

Trending: 44

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 4, 2026

Discovered by ZDM

May 4, 2026

Updated: severity, activelyExploited

May 4, 2026

Actively Exploited

May 4, 2026

Patch Available

May 4, 2026

Version History

Last enriched 4h ago

v2Tier C4h ago

Updated severity to CRITICAL, marked as actively exploited, and noted that no exploit is available.

severityactivelyExploited

via VulDB

v15h ago

Initial creation