{
  "threat_severity" : "Moderate",
  "public_date" : "2026-05-04T12:39:42Z",
  "bugzilla" : {
    "description" : "httpd: mod_proxy_ajp: heap-based buffer over-read and memory disclosure in ajp_parse_data()",
    "id" : "2464940",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2464940"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-126",
  "details" : [ "Buffer Over-read vulnerability in Apache HTTP Server.\nThis issue affects Apache HTTP Server: through 2.4.66.\nUsers are recommended to upgrade to version 2.4.67, which fixes the issue.", "A flaw was found in the mod_proxy_ajp module of httpd. When processing AJP (Apache JServ Protocol) messages, the ajp_parse_data function attempts to read data beyond the allocated buffer size, allowing an attacker or a malformed request to cause a heap-based buffer over-read. This issue potentially leads to memory disclosure and a denial of service." ],
  "statement" : "To exploit this issue, the Apache HTTP Server must be configured to connect to an untrusted or compromised AJP backend server, limiting its exposure. Due to this reason, this flaw has been rated with a moderate severity.\nThis flaw only affects configurations with mod_proxy_ajp loaded and being used. This module can be disabled via the configuration file if its functionality is not being used.",
  "affected_release" : [ {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27200",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-httpd-0:2.4.62-13.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27200",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-httpd-0:2.4.62-13.el7jbcs"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-05-27T00:00:00Z",
    "advisory" : "RHSA-2026:21433",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.2",
    "package" : "httpd-0:2.4.63-13.el10_2.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-06-01T00:00:00Z",
    "advisory" : "RHSA-2026:22140",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "httpd:2.4-8100020260519200905.489197e6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-27T00:00:00Z",
    "advisory" : "RHSA-2026:21391",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "httpd-0:2.4.62-13.el9_8.1"
  }, {
    "product_name" : "Red Hat JBoss Core Services 2.4.62.SP4",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27201",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1",
    "package" : "mod_proxy_ajp.so"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-05-06T00:00:00Z",
    "advisory" : "RHSA-2026:13938",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "httpd-main-2.4.67-0.1.hum1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-34059\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34059\nhttps://httpd.apache.org/security/vulnerabilities_24.html" ],
  "name" : "CVE-2026-34059",
  "mitigation" : {
    "value" : "Disabling mod_proxy_ajp and restarting httpd will mitigate this flaw.",
    "lang" : "en:us"
  },
  "csaw" : false
}