CVE-2026-34355: Apache HTTP Server mod_proxy_html Buffer Overflow Requires Immediate Upgrade

CVE-2026-34355 affects Apache HTTP Server versions 2.4.0 through 2.4.67. The vulnerable component is mod_proxy_html, a reverse-proxy output filter that rewrites HTML links in proxied responses.

Impact is direct. A malicious or compromised backend can trigger a buffer overflow while Apache processes proxied HTML content. The Apache advisory rates the issue moderate. NVD lists a CISA-ADP CVSS 3.1 score of 7.5, High, with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

This is a service availability risk first. The published CVSS vector assigns high availability impact and no confidentiality or integrity impact. Operators should still treat it as urgent. Apache often sits at the public edge. Reverse proxies terminate TLS, route traffic, enforce access rules, and front internal applications. A crash at that layer can become an outage for multiple services behind it.

The affected module matters. mod_proxy_html rewrites links in HTML returned by backend servers so those links work through a gateway or reverse proxy. A common deployment exposes an internal application through a public Apache endpoint. The backend may emit links pointing to internal hostnames. mod_proxy_html parses the response body and rewrites those links before the client receives the page.

That parsing path is the exposure. Apache says the buffer overflow can be attacked by an untrusted backend. This means the attacker does not necessarily need direct control of the Apache host. The attacker needs a path to influence the backend response that Apache proxies and filters. That path could be a compromised upstream application, a hostile backend in a multi-tenant environment, or an application feature that reflects attacker-controlled HTML through the proxied response.

Affected product: Apache HTTP Server 2.4.0 through 2.4.67. Fixed version: 2.4.68. Vulnerable component: mod_proxy_html, module identifier proxy_html_module, source file mod_proxy_html.c.

CVE ID: CVE-2026-34355. Weakness: CWE-122, heap-based buffer overflow. Vendor advisory: Apache HTTP Server 2.4 vulnerabilities. Public mailing-list notice: oss-security disclosure.

Mitigation is clear. Upgrade Apache HTTP Server to version 2.4.68. Do not wait for exploitation signals. Patch edge proxies first. Then patch internal reverse proxies that process HTML from application backends.

If an immediate upgrade is not possible, reduce exposure. Disable mod_proxy_html where it is not required. Review configurations that use ProxyHTMLEnable On, ProxyHTMLURLMap, ProxyHTMLExtended, and related directives. Restrict which backends can feed content into Apache proxy filters. Treat backend servers as part of the trust boundary, not as harmless internal systems.

Temporary configuration changes must be tested. Disabling mod_proxy_html can break links in proxied applications that depend on HTML rewriting. The safer long-term action remains the upgrade to 2.4.68.

Detection should start with inventory. Identify Apache instances running 2.4.67 or earlier. Check whether mod_proxy_html is loaded statically or through LoadModule. Search configuration repositories for proxy_html_module, ProxyHTMLEnable, and ProxyHTMLURLMap. Prioritize internet-facing reverse proxies and gateways that route to backends managed by separate teams or vendors.

Timeline: the issue was reported to the Apache security team on March 21, 2026. Apache fixed it in the 2.4.x branch on June 4, 2026. Apache HTTP Server 2.4.68 was released on June 8, 2026. NVD published the record on June 8, 2026 and recorded initial analysis on June 9, 2026.

Administrators should patch now. Confirm version 2.4.68 or later after deployment. Restart Apache where required. Monitor error logs for crashes, abnormal backend responses, and proxy filter failures during rollout.