{
  "threat_severity" : "Moderate",
  "public_date" : "2026-06-08T15:19:23Z",
  "bugzilla" : {
    "description" : "httpd: Apache HTTP Server: Denial of Service via crafted regular expressions",
    "id" : "2486399",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2486399"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-124",
  "details" : [ "Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration.\nThis issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.\nUsers are recommended to upgrade to version 2.4.68, which fixes the issue.", "A flaw was found in Apache HTTP Server. This buffer underwrite vulnerability occurs when processing crafted regular expressions in the server's configuration. An attacker could potentially exploit this to cause a denial of service." ],
  "statement" : "This Moderate impact buffer underwrite flaw in Apache HTTP Server can lead to a denial of service. The vulnerability occurs when processing specially crafted regular expressions within the server's configuration. Exploitation requires a high attack complexity, indicating that specific conditions or a complex attack vector are necessary, thereby limiting the practical risk in typical Red Hat deployments where configuration changes are tightly controlled.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-44631\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-44631\nhttps://httpd.apache.org/security/vulnerabilities_24.html" ],
  "name" : "CVE-2026-44631",
  "mitigation" : {
    "value" : "Only loadtrustedApache configuration; the bug triggers oncrafted regexin config at start/reload (DirectoryMatch,Directory ~,ProxyMatch, etc.).\nKeep AllowOverride None where possible so untrusted users cannot inject regex via .htaccess.\nRestrict who can change httpdconfig and reload the service.",
    "lang" : "en:us"
  },
  "csaw" : false
}