Is CVE-2021-26690 known to be exploited?

22 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Software Foundation Http Server

CVE-2021-26690

Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service

EPSS: 0.604 (98.3th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Http Server — versions 2.4.46, 2.4.43, 2.4.41

Public proof-of-concept exploits

References

httpd.apache.org/security/vulnerabilities_24.html (x_refsource_MISC)
lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cb… (x_refsource_MISC)
[httpd-announce] 20210609 CVE-2021-26690: mod_session NULL pointer dereference (mailing-list, x_refsource_MLIST)
[httpd-dev] 20210610 Re: svn commit: r1890598 - in /httpd/site/trunk/content/security/json: CVE-2019-17567.json CVE-2020-13938.json CVE-2020-13950.json CVE-2020-35452.json CVE-2021-26690.json CVE-2021-26691.json CVE-2021-30641.json CVE-2021-31618.json (mailing-list, x_refsource_MLIST)
[oss-security] 20210609 CVE-2021-26690: Apache httpd: mod_session NULL pointer dereference (mailing-list, x_refsource_MLIST)
[debian-lts-announce] 20210709 [SECURITY] [DLA 2706-1] apache2 security update (mailing-list, x_refsource_MLIST)
DSA-4937 (vendor-advisory, x_refsource_DEBIAN)
GLSA-202107-38 (vendor-advisory, x_refsource_GENTOO)
FEDORA-2021-dce7e7738e (vendor-advisory, x_refsource_FEDORA)
FEDORA-2021-e3f6dd670d (vendor-advisory, x_refsource_FEDORA)

Frequently asked questions

What is CVE-2021-26690?: CVE-2021-26690 is a vulnerability in Apache Software Foundation Http Server. Published 2021-06-10.
Is CVE-2021-26690 known to be exploited?: 22 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.