{
  "threat_severity" : "Important",
  "public_date" : "2026-06-08T15:22:11Z",
  "bugzilla" : {
    "description" : "httpd: Apache HTTP Server: Buffer Over-read via outbound OCSP requests to attacker-controlled server",
    "id" : "2486397",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2486397"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
    "status" : "draft"
  },
  "cwe" : "CWE-125",
  "details" : [ "Buffer Over-read vulnerability in Apache HTTP Server via outbound OCSP requests to an attacker controlled OCSP server\nThis issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.\nUsers are recommended to upgrade to version 2.4.68, which fixes the issue.", "A flaw was found in Apache HTTP Server. This buffer over-read vulnerability occurs when the server processes outbound Online Certificate Status Protocol (OCSP) requests directed to an attacker-controlled OCSP server. This could allow a remote attacker to read sensitive information from memory or cause a denial of service." ],
  "statement" : "A critical buffer over-read flaw in Apache HTTP Server occurs when it performs outbound OCSP requests. If a server connects to an attacker-controlled OCSP responder, a remote attacker can leak sensitive memory data or trigger a denial of service (DoS). This risk depends entirely on the server's OCSP configuration and endpoint trustworthiness.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-44185\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-44185\nhttps://httpd.apache.org/security/vulnerabilities_24.html" ],
  "name" : "CVE-2026-44185",
  "mitigation" : {
    "value" : "To mitigate this issue, ensure that Apache HTTP Server is configured to only communicate with trusted OCSP responders. If OCSP validation or stapling is not a critical requirement for your deployment, consider disabling it. This can be achieved by adjusting mod_ssl directives in your Apache HTTP Server configuration. \nFor example, add or modify the following lines:\n~~~\nSSLOCSPEnable off\nSSLUseStapling off\n~~~\nAfter modifying the configuration, reload the httpd service for the changes to take effect safely without interrupting active connections:\n~~~\nsudo systemctl reload httpd\n~~~",
    "lang" : "en:us"
  },
  "csaw" : false
}