CVE-2026-34355
A buffer overflow in mod_proxy_html in Apache HTTP Server 2.4.67 and earlier allows an attack by an untrusted backend. Users are recommended
CVSS
7.5
High
EPSS
0.8%
p53
KEV
—
Exploit Today
16
0-100
Published: Jun 8, 2026 · Last modified: Jul 16, 2026 · CWE-122 · CWE-120
0.7%EPSS · 30 days0.8%
2026-06-302026-07-16
A buffer overflow in mod_proxy_html in Apache HTTP Server 2.4.67 and earlier allows an attack by an untrusted backend. Users are recommended to upgrade to version 2.4.68, which fixes this issue.
- httpd.apache.orghttps://httpd.apache.org/security/vulnerabilities_24.html
- www.openwall.comhttp://www.openwall.com/lists/oss-security/2026/06/08/6
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:25042
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:34109
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-34355
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2486414
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34355.json
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2025-312778.8 HIG71.0%
KEV—71Apple Multiple Products Buffer Overflow Vulnerability3dCVE-2026-429458.1 HIG99.1%
——30NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.3dCVE-2025-154678.8 HIG98.7%
——30Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with
maliciously crafted AEAD parameters can trigger a stack buffer overflow.
Impact summary: A stack buffer overflow may lead to a crash, causing Denial
of Service, or potentially remote code execution.
When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as
AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is
copied into a fixed-size stack buffer without verifying that its length fits
the destination. An attacker can supply a crafted CMS message with an
oversized IV, causing a stack-based out-of-bounds write before any
authentication or tag verification occurs.
Applications and services that parse untrusted CMS or PKCS#7 content using
AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable.
Because the overflow occurs prior to authentication, no valid key material
is required to trigger it. While exploitability to remote code execution
depends on platform and toolchain mitigations, the stack-based write
primitive represents a severe risk.
The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this
issue, as the CMS implementation is outside the OpenSSL FIPS module
boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.
OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.3dCVE-2026-276548.2 HIG97.4%
——29NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.3dCVE-2022-374349.8 CRI96.5%
——29zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).3dCVE-2026-505189.8 CRI93.7%
——28Heap-based buffer overflow in Windows DHCP Server allows an unauthorized attacker to execute code over a network.2d