HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-44185Published Modified CNA apache

CVE-2026-44185: Apache HTTP Server: Stack Buffer Over-Read in mod_ssl OCSP `send_request`

Buffer Over-read vulnerability in Apache HTTP Server via outbound OCSP requests to an attacker controlled OCSP server This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.

Metrics

CVSS v3.1
7.3
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A stack buffer over-read vulnerability exists in the mod_ssl module of Apache HTTP Server versions 2.4.0 through 2.4.67, triggered via outbound OCSP requests sent to an attacker-controlled OCSP responder. The flaw is reachable over the network with no authentication required and no user interaction needed, as the server itself initiates the outbound OCSP request during certificate validation. Successful exploitation gives an attacker limited read, write, and availability impact against the affected server process. Although the CVE description references 2.4.68 as the fix, no fix version has been formally published in this record, so HarborGuard is tracking the advisory for confirmed patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images running any Apache HTTP Server version in the affected 2.4.0 through 2.4.67 range, including custom-built images that bundle the httpd binary directly. Coverage extends to images in both registry scans and active CI/CD pipeline checks.

Available
Triage

Triage is available with a CVSS v3.1 base score of 7.3 (HIGH), weighted against each customer environment's compliance policy to determine priority routing. Findings are surfaced to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available
Patch

Because no fix version has been formally confirmed in the published record, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is published. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically at that point without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must operate a reachable OCSP responder over the network that the Apache server contacts during outbound certificate-status validation.

  • AuthenticationNot required

    No authentication is required; the server initiates the OCSP request without any credential check against the remote responder.

  • Victim interactionNot required

    No human victim interaction is needed; the server's own OCSP validation logic triggers the vulnerable code path automatically.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or specific environmental configuration beyond controlling an OCSP responder endpoint.

Blast Radius

  • Reads a limited portion of stack memory from the Apache server process, which may expose fragments of in-memory data such as TLS session state or partial request buffers.
  • Achieves limited writes, with potential to corrupt adjacent stack data in the affected server worker process.
  • Disrupts availability of the affected worker process, which can degrade or crash request handling for connections that trigger OCSP validation.
  • Impact is scoped to the individual server instance; the vulnerability does not cross privilege boundaries to the host OS in the current scoring.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of this advisory is active across all customer environments, with the CVE matched against images running Apache HTTP Server 2.4.0 through 2.4.67 on every ingest cycle. Because no fix version is formally confirmed in the published record, a patched-image rebuild cannot be generated yet. In the interim, customers can apply compensating controls through HarborGuard policy: network-policy isolation to restrict outbound OCSP traffic from affected containers to only known-good responder addresses, and egress filtering rules to block connections to untrusted OCSP endpoints. Where compliance policy permits, auto-remediation is pre-staged so that the moment an upstream fix is published and ingested, affected images will be rebuilt, regression-tested, and a PR opened against affected workloads automatically. Customers who prefer manual control will receive a policy alert and rebuild prompt at the same time.

See how HarborGuard automates this
Affected packages
  • Apache Software Foundation / Apache HTTP Server
    ≤ 2.4.67
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
References