HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-44631Published Modified CNA apache

CVE-2026-44631: Apache HTTP Server: Heap Underflow in `ap_regname` via Signed Char Overflow

Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Heap underflow (buffer underwrite) in Apache HTTP Server versions 2.4.0 through 2.4.67, triggered by crafted regular expressions processed through the ap_regname function. The vulnerability is reachable over the network without any authentication or user interaction required. Successful exploitation gives an attacker full read, write, and crash capability against the affected server process, enabling remote code execution, data theft, and service disruption. No upstream fix has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment Apache ships a confirmed fix version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built Apache HTTP Server images in both registries and active CI/CD pipelines. Any image packaging Apache HTTP Server 2.4.0 through 2.4.67 is flagged automatically without requiring manual intervention.

Available
Triage

HarborGuard scores this CVE at CVSS 9.8 Critical and is capable of weighting that score against each customer environment's compliance policy to determine urgency and escalation path. Triage results are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks the Apache advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a confirmed fix version appears. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be initiated without delay once the upstream patch is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable code path is exposed over the network, meaning an attacker can reach it from any internet-connected host without needing prior access to the system.

  • AuthenticationNot required

    No account, session token, or credential of any kind is required to trigger the vulnerability.

  • Victim interactionNot required

    No user action such as clicking a link or opening a file is needed; the attacker can exploit the flaw entirely without involving any human target.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors outside the attacker's control.

Blast Radius

  • An attacker can read arbitrary heap memory from the Apache HTTP Server process, exposing in-flight request data, session tokens, and any secrets resident in the process address space.
  • An attacker can write to arbitrary heap memory below the intended buffer boundary, enabling remote code execution within the privileges of the web server process.
  • The heap corruption can be used to crash the Apache HTTP Server worker process, causing a denial of service for all requests handled by that worker.
  • If the server process runs with elevated privileges or shares memory with other services, the impact extends beyond the HTTP layer to other components in the same container or host environment.

How HarborGuard Handles This

Available on HarborGuard: detection against all images packaging Apache HTTP Server 2.4.0 through 2.4.67 is active now, scored at CVSS 9.8 Critical. Because Apache has not yet published a patched release, no rebuilt image is available at this time. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Apache ships a confirmed fix; for customers who opt into auto-remediation, the full rebuild, regression-test, and PR flow will trigger automatically at that point. In the interim, compensating controls available for consideration include network-policy isolation to restrict inbound access to the Apache HTTP Server to known-good sources, egress filtering to limit lateral movement if the process is compromised, and auditing Apache configuration for any user-influenced regular expression inputs that reach ap_regname, which can reduce the reachable attack surface until a patch is available.

See how HarborGuard automates this
Affected packages
  • Apache Software Foundation / Apache HTTP Server
    ≤ 2.4.67
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References