Buffer overflow in Apache Software Foundation Http Server
CVE-2021-26691
In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow
Vulnerability class: Buffer Overflow
EPSS: 0.681 (99.2th percentile) — read the EPSS interpretation.
Affected products
- Apache Software Foundation Http Server — versions 2.4.46, 2.4.43, 2.4.41
Weakness classification (CWE)
Public proof-of-concept exploits
References
- httpd.apache.org/security/vulnerabilities_24.html (x_refsource_MISC)
- lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cb… (x_refsource_MISC)
- [httpd-announce] 20210609 CVE-2021-26691: mod_session response handling heap overflow (mailing-list, x_refsource_MLIST)
- [httpd-dev] 20210610 Re: svn commit: r1890598 - in /httpd/site/trunk/content/security/json: CVE-2019-17567.json CVE-2020-13938.json CVE-2020-13950.json CVE-2020-35452.json CVE-2021-26690.json CVE-2021-26691.json CVE-2021-30641.json CVE-2021-31618.json (mailing-list, x_refsource_MLIST)
- [oss-security] 20210609 CVE-2021-26691: Apache httpd: mod_session response handling heap overflow (mailing-list, x_refsource_MLIST)
- [debian-lts-announce] 20210709 [SECURITY] [DLA 2706-1] apache2 security update (mailing-list, x_refsource_MLIST)
- DSA-4937 (vendor-advisory, x_refsource_DEBIAN)
- GLSA-202107-38 (vendor-advisory, x_refsource_GENTOO)
- FEDORA-2021-dce7e7738e (vendor-advisory, x_refsource_FEDORA)
- FEDORA-2021-e3f6dd670d (vendor-advisory, x_refsource_FEDORA)
Frequently asked questions
- What is CVE-2021-26691?
- CVE-2021-26691 is a vulnerability in Apache Software Foundation Http Server, classified under Heap-based Buffer Overflow. Published 2021-06-10.
- Is CVE-2021-26691 known to be exploited?
- 23 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.