{
  "threat_severity" : "Moderate",
  "public_date" : "2026-05-04T13:07:30Z",
  "bugzilla" : {
    "description" : "httpd: mod_proxy_ajp: off-by-one out-of-bounds reads in AJP getter functions",
    "id" : "2464953",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2464953"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-125",
  "details" : [ "Out-of-bounds Read vulnerability in mod_proxy_ajp of \nApache HTTP Server.\nThis issue affects Apache HTTP Server: through 2.4.66.\nUsers are recommended to upgrade to version 2.4.67, which fixes the issue.", "A flaw was found in the mod_proxy_ajp module of httpd. When processing AJP (Apache JServ Protocol) messages, the AJP getter functions attempt to read data beyond the allocated buffer size, allowing an attacker or a malformed request to cause an out-of-bounds read. This issue leads to a denial of service." ],
  "statement" : "To exploit this issue, the Apache HTTP Server must be configured to connect to an untrusted or compromised AJP backend server, limiting its exposure. Due to this reason, this flaw has been rated with a moderate severity.\nThis flaw only affects configurations with mod_proxy_ajp loaded and being used. This module can be disabled via the configuration file if its functionality is not being used.",
  "affected_release" : [ {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27200",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-httpd-0:2.4.62-13.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27200",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-httpd-0:2.4.62-13.el7jbcs"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-05-27T00:00:00Z",
    "advisory" : "RHSA-2026:21433",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.2",
    "package" : "httpd-0:2.4.63-13.el10_2.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-06-01T00:00:00Z",
    "advisory" : "RHSA-2026:22140",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "httpd:2.4-8100020260519200905.489197e6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-27T00:00:00Z",
    "advisory" : "RHSA-2026:21391",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "httpd-0:2.4.62-13.el9_8.1"
  }, {
    "product_name" : "Red Hat JBoss Core Services 2.4.62.SP4",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27201",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1",
    "package" : "mod_proxy_ajp.so"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-05-06T00:00:00Z",
    "advisory" : "RHSA-2026:13938",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "httpd-main-2.4.67-0.1.hum1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-33857\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33857\nhttps://httpd.apache.org/security/vulnerabilities_24.html" ],
  "name" : "CVE-2026-33857",
  "mitigation" : {
    "value" : "Disabling mod_proxy_ajp and restarting httpd will mitigate this flaw.",
    "lang" : "en:us"
  },
  "csaw" : false
}