{
  "threat_severity" : "Important",
  "public_date" : "2026-06-08T15:20:30Z",
  "bugzilla" : {
    "description" : "httpd: Apache HTTP Server: Buffer overflow in mod_proxy_html allows security bypass",
    "id" : "2486414",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2486414"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-120",
  "details" : [ "A buffer overflow in mod_proxy_html in Apache HTTP Server 2.4.67 and earlier allows an attack by an untrusted backend.\nUsers are recommended to upgrade to version 2.4.68, which fixes this issue.", "A vulnerability has been identified in the Apache HTTP Server. If the server is configured to connect to a malicious or compromised backend server, an attacker could exploit this flaw to bypass security controls or run unauthorized code on the system." ],
  "statement" : "This Important vulnerability in `mod_proxy_html` within the Apache HTTP Server allows an untrusted backend to trigger a buffer overflow. This could lead to a security bypass or arbitrary code execution, posing a significant risk in environments where `httpd` is configured with untrusted backend services.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-34355\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34355\nhttps://httpd.apache.org/security/vulnerabilities_24.html" ],
  "name" : "CVE-2026-34355",
  "mitigation" : {
    "value" : "Disable the `mod_proxy_html` module if it is not essential for your Apache HTTP Server configuration. If `mod_proxy_html` is required, restrict its use to trusted backend servers only, employing network segmentation and access controls. After modifying the configuration, reload the httpd service for changes to apply, which may cause a brief service interruption.\nSteps to disable:\nOpen /etc/httpd/conf.modules.d/00-proxy.conf.\nAdd a # to comment out the line: LoadModule proxy_html_module modules/mod_proxy_html.so\nVerify configuration syntax: apachectl configtest\nApply the change gracefully: systemctl reload httpd",
    "lang" : "en:us"
  },
  "csaw" : false
}