CVE-2026-42536: Apache HTTP Server: mod_xml2enc heap overflow
Heap-based Buffer Overflow vulnerability in Apache HTTP Server with mod_xml2enc, xml2StartParse, and untrusted content This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A heap-based buffer overflow affects Apache HTTP Server versions 2.4.0 through 2.4.67 when the mod_xml2enc module is enabled and processes untrusted content via the xml2StartParse function. The vulnerability is reachable over the network with no authentication required and no victim interaction needed. Successful exploitation crashes the affected HTTP server process, causing a denial of service. No fix versions have been published yet; HarborGuard tracks the upstream advisory and will make a patched-image rebuild available as soon as Apache ships a release.
HarborGuard Coverage
Detection is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle Apache HTTP Server.
AvailableHarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableBecause no fix version has been published, HarborGuard re-checks the upstream Apache advisory on every ingest cycle and will make a patched-image rebuild available the moment Apache publishes a corrected release. In the meantime, customers can use HarborGuard's compensating-control recommendations, such as network-policy isolation for workloads running mod_xml2enc, to reduce exposure.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the Apache HTTP Server over the network by sending a crafted request; no local access or special positioning is needed.
- AuthenticationNot required
No credentials or session token are needed; the vulnerable code path is reachable by any unauthenticated HTTP request.
- Victim interactionNot required
The server processes the malicious content autonomously; no user or administrator action is required to trigger the overflow.
- Attack complexityDetail
Exploitation is reliable and condition-free; no race condition, memory-layout knowledge, or environmental dependency is required.
Blast Radius
- Crashes the Apache HTTP Server worker process handling the malicious request, taking the service offline or degrading availability for all clients.
- Repeated requests can sustain a denial-of-service condition, preventing the server from serving any legitimate traffic until the process is restarted.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix exists yet, HarborGuard continuously re-checks the Apache advisory on every ingest cycle. The moment Apache publishes version 2.4.68 or any patch release, a rebuilt image at that version becomes available automatically; customers with auto-remediation enabled will receive a regression-tested rebuild and a PR opened against affected workloads without manual intervention. While waiting for the upstream fix, HarborGuard surfaces compensating-control suggestions for affected environments, including applying network policy to restrict inbound requests to trusted sources, disabling or isolating workloads where mod_xml2enc is not strictly required, and configuring egress filtering to limit the server's exposure. Environments without auto-remediation will see the fix flagged in the HarborGuard dashboard as soon as the rebuild is available.
- Apache Software Foundation / Apache HTTP Server≤ 2.4.67
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H