CVE-2021-26691
Apache HTTP Server mod_session response handling heap overflow
In short
Apache HTTP Server versions 2.4.0 to 2.4.46 are vulnerable to a heap overflow when processing specially crafted session headers from a server. An attacker could potentially crash the server or execute arbitrary code by sending a malicious session header.
Technical detail
A heap buffer overflow exists in mod_session's response header handling (CWE-122) affecting Apache 2.4.0–2.4.46. The vulnerability is triggered when an origin server sends a crafted SessionHeader that exceeds expected buffer boundaries, allowing remote code execution or denial of service without authentication.
Summary generated and translated by AI from the official description.
In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow
Affected products
Apache Software Foundation · Apache HTTP ServerWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://httpd.apache.org/security/vulnerabilities_24.htmlhttps://lists.apache.org/thread.html/r50cae1b71f1e7421069036b213c26da7d8f47dd59874e3bd956959fe%40%3Cannounce.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111bb5d15cda0a68dd%40%3Cdev.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cba8d0bf3%40%3Ccvs.httpd.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2021/07/msg00006.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/https://security.gentoo.org/glsa/202107-38https://security.netapp.com/advisory/ntap-20210702-0001/https://www.debian.org/security/2021/dsa-4937https://www.oracle.com/security-alerts/cpujan2022.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.html