CVE-2026-42536: Apache HTTP Server mod_xml2enc Heap Overflow Fixed in 2.4.68

Impact

CVE-2026-42536 affects Apache HTTP Server 2.4.0 through 2.4.67. The flaw is a heap-based buffer overflow in mod_xml2enc, tied to xml2StartParse handling of untrusted content.

Patch now.

The current fix is Apache HTTP Server 2.4.68, released on June 8, 2026. Apache lists the issue in its 2.4 vulnerability advisory. NVD tracks the record as CVE-2026-42536.

Severity needs context. Apache rates the issue as low. CISA-ADP assigned CVSS 3.1 score 7.5, High, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. That means network attack, low complexity, no privileges, no user interaction, and availability impact.

Affected Products

Affected: Apache HTTP Server 2.4.0 through 2.4.67.

Fixed: Apache HTTP Server 2.4.68.

Affected component: mod_xml2enc, the Apache module that provides charset and internationalization support for libxml2-based filters such as mod_proxy_html. Its job is to detect input encoding, prepare content for libxml2 parsing, and help filter modules process markup safely.

The risky path involves xml2StartParse. Apache’s module documentation describes this directive as a way to tell the parser to skip leading junk and start parsing at selected elements. That matters because the module may scan untrusted HTML or XML-like input before handing it to downstream parsing logic.

Technical Details

This is CWE-122, Heap-based Buffer Overflow.

A heap overflow occurs when software writes past the end of memory allocated on the heap. In web server code, that can corrupt adjacent memory used by the process. The immediate impact can be a crash. Under some conditions, memory corruption bugs can become code execution bugs, but the public records for CVE-2026-42536 identify availability impact, not confidentiality or integrity impact.

The CVSS vector supports that reading. C:N/I:N/A:H means no confirmed confidentiality impact, no confirmed integrity impact, and high availability impact. Treat this as a denial-of-service risk unless new exploit data changes the assessment.

The network exposure is the main concern. AV:N means the attack path is remote. PR:N means no account is required. UI:N means no user click is needed. AC:L means exploitation conditions are not rated complex.

The flaw is narrow, but Apache is widely deployed. Internet-facing reverse proxies, content gateways, and legacy virtual hosts often carry modules that were enabled years earlier and never revisited. Operators should verify actual module loading, not rely on assumptions.

Check for mod_xml2enc in Apache configuration. Review LoadModule xml2enc_module directives. Inspect enabled module directories on Debian and Ubuntu systems, often under /etc/apache2/mods-enabled/. Inspect Red Hat-style systems for module loading under /etc/httpd/conf.modules.d/ and related include files.

Also check for xml2StartParse. That directive can appear in server config, virtual host config, directory context, or .htaccess, depending on local policy. If untrusted upstream content flows through markup-aware filters, prioritize those hosts.

Timeline

April 27, 2026: The issue was reported to the Apache security team.

June 4, 2026: Apache fixed the issue in the 2.4.x branch.

June 8, 2026: Apache released HTTP Server 2.4.68.

June 8, 2026: The CVE record was received from the Apache Software Foundation.

June 8, 2026: CISA-ADP added CVSS 3.1 scoring.

June 9, 2026: NVD performed initial analysis and listed affected Apache HTTP Server versions from 2.4.0 up to, but not including, 2.4.68.

Mitigation

Upgrade Apache HTTP Server to 2.4.68.

Use vendor packages where available. Source users should download 2.4.68 from the official Apache download page and verify signatures and checksums before deployment.

Restart Apache after patching. Confirm the running binary, not only the installed package version. Use apachectl -v, httpd -v, package manager queries, and service status checks as appropriate for the platform.

If immediate upgrade is blocked, reduce exposure. Disable mod_xml2enc where it is not required. Remove or restrict configurations that process untrusted markup through libxml2-based filters. Review use of mod_proxy_html and related filter chains.

Do not treat module removal as a permanent fix. The vendor fix is 2.4.68.

Operations Guidance

Patch internet-facing Apache systems first. Then patch internal reverse proxies and application gateways. Then patch developer, staging, and backup images so vulnerable builds are not redeployed later.

Inventory containers separately. Many Apache deployments are embedded inside application images. Rebuilding the base image is required if the image contains Apache 2.4.67 or earlier.

Monitor for repeated crashes in Apache child processes. Watch error logs, service restarts, health-check failures, and unusual requests carrying malformed markup or unexpected character encoding declarations.

This CVE is not a Microsoft vulnerability despite the supplied Microsoft Security Update Guide page title. Authoritative public records identify the source as the Apache Software Foundation and the affected product as Apache HTTP Server.