How is CVE-2026-29167 exploited?

Network reachability (required): The vulnerable code path is exposed over the network; an attacker must be able to send HTTP requests to the affected server. Authentication (not-required): No account or credentials of any privilege level are needed to reach the vulnerable code path. Victim interaction (not-required): The attack is fully server-side; no user action such as clicking a link or opening a file is required. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-29167?

Reads arbitrary memory from the server process, exposing session tokens, LDAP credentials, and any in-memory application data. Writes to freed memory regions, enabling corruption of server state or in-memory data structures. Crashes the Apache HTTP Server worker process, causing a denial of service for requests handled by that worker. Depending on memory layout at the time of exploitation, arbitrary code execution within the server process context is achievable.

Back to search

CRITICALCVE-2026-29167Published 2026-06-08Modified 2026-06-09CNA apache

CVE-2026-29167: Apache HTTP Server: mod_ldap per-dir use-after-free

Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Apache HTTP Server mod_ldap module when processing per-directory LDAP configuration. The flaw is reachable over the network with no authentication required, as reflected in the CVSS vector (AV:N/AC:L/PR:N/UI:N). Successful exploitation gives an attacker full read, write, and denial-of-service capability against the affected server process. No fix version has been published upstream yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment an upstream fix ships.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Apache HTTP Server with mod_ldap enabled. Any image running Apache HTTP Server 2.4.0 through 2.4.67 will surface as affected in the scan results.

Available

Triage

HarborGuard scores this finding at CVSS 9.8 Critical and is capable of weighting that score against each customer environment's own compliance policy to determine priority and urgency. Triage routing routes the finding to the appropriate team inbox inside each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Apache Software Foundation ships a confirmed fix. For customers who opt into auto-remediation, the rebuild, regression test run, and pull request against affected workloads will be triggered without any manual intervention required.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable code path is exposed over the network; an attacker must be able to send HTTP requests to the affected server.
AuthenticationNot required
No account or credentials of any privilege level are needed to reach the vulnerable code path.
Victim interactionNot required
The attack is fully server-side; no user action such as clicking a link or opening a file is required.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

Reads arbitrary memory from the server process, exposing session tokens, LDAP credentials, and any in-memory application data.
Writes to freed memory regions, enabling corruption of server state or in-memory data structures.
Crashes the Apache HTTP Server worker process, causing a denial of service for requests handled by that worker.
Depending on memory layout at the time of exploitation, arbitrary code execution within the server process context is achievable.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of this advisory is active across all customer environments, with the finding already matchable against any scanned image running Apache HTTP Server 2.4.0 through 2.4.67. Because no upstream fix exists yet, HarborGuard polls the advisory on every ingest cycle and will trigger a patched-image rebuild the moment Apache Software Foundation publishes version 2.4.68 or a confirmed backport. For customers who opt into auto-remediation, that rebuild will be followed immediately by a regression test run and a PR opened against any affected workloads, with a typical median time from patch publication to merged PR of around 90 minutes for Critical-severity issues. While the upstream fix is pending, compensating controls worth considering include isolating affected servers behind a network policy that restricts inbound HTTP access to known source ranges, disabling mod_ldap in per-directory configuration contexts where not strictly required, and applying egress filtering to limit what the server process can reach if memory corruption does occur.

See how HarborGuard automates this

Affected packages

Apache Software Foundation / Apache HTTP Server
≤ 2.4.67

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

httpd.apache.org

Metrics

Get notified