{
  "threat_severity" : "Moderate",
  "public_date" : "2026-06-08T15:16:14Z",
  "bugzilla" : {
    "description" : "httpd: Apache HTTP Server: Out-of-bounds Read in mod_headers and mod_mime",
    "id" : "2486415",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2486415"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-125",
  "details" : [ "Out-of-bounds Read vulnerability in Apache HTTP Server with mod_headers and mod_mime and multiple response languages.\nThis issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.", "A flaw was found in Apache HTTP Server. An out-of-bounds read vulnerability exists when `mod_headers` and `mod_mime` are used with multiple response languages. This could allow a remote attacker to disclose sensitive information from memory or cause a denial of service." ],
  "statement" : "This Moderate impact vulnerability in Apache HTTP Server arises from an out-of-bounds read when both `mod_headers` and `mod_mime` modules are active and configured for multiple response languages. While this configuration is not universally enabled by default in Red Hat products, affected systems could be vulnerable to information disclosure or denial of service if these specific modules and language settings are in use. Exploitation requires a remote attacker to trigger this specific module interaction.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-43951\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43951\nhttps://httpd.apache.org/security/vulnerabilities_24.html" ],
  "name" : "CVE-2026-43951",
  "mitigation" : {
    "value" : "- Those who do not require multi-language response headers can remove or disable the `mod_headers` and `mod_mime` modules, or remove Content-Language directives from their configuration. \n- Systems not using these modules in combination are not affected.",
    "lang" : "en:us"
  },
  "csaw" : false
}