USN-8239-1
- Source
- https://ubuntu.com/security/notices/USN-8239-1
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8239-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/USN-8239-1
- Upstream
- Related
- Published
- 2026-05-06T19:55:12Z
- Modified
- 2026-05-20T16:04:04.155244264Z
- Summary
- apache2 vulnerabilities
- Details
-
Bartlomiej Dmitruk and Stanislaw Strzalkowski discovered that Apache HTTP Server incorrectly handled certain memory operations when using the HTTP/2 protocol. A remote attacker could use this issue to cause Apache HTTP Server to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 26.04 LTS. (CVE-2026-23918)
It was discovered that the Apache HTTP Server mod_rewrite module incorrectly handled certain privileges. A local attacker could possibly use this issue to obtain sensitive information. (CVE-2026-24072)
Andrew Lacambra, Elhanan Haenel, Tianshuo Han, and Tristan Madani discovered that the Apache HTTP Server modproxyajp module incorrectly handled certain AJP server messages. An attacker in control of a backend AJP server could use this issue to cause Apache HTTP Server to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-28780)
Pavel Kohout discovered that Apache HTTP Server did not properly limit resource allocation in mod_md when processing OCSP response data. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2026-29168)
Pavel Kohout discovered that the Apache HTTP Server incorrectly handled certain memory operations in moddavlock. A remote attacker could possibly use this issue to cause Apache HTTP Server to crash, resulting in a denial of service. (CVE-2026-29169)
Nitescu Lucian discovered that Apache HTTP Server had a timing attack vulnerability in modauthdigest. A remote attacker could possibly use this issue to bypass Digest authentication. (CVE-2026-33006)
Pavel Kohout and Arkadi Vainbrand discovered that Apache HTTP Server incorrectly handled certain memory operations in modauthnsocache. A remote attacker could possibly use this issue to cause Apache HTTP Server to crash, resulting in a denial of service. (CVE-2026-33007)
Haruki Oyama, Merih Mengisteab, and Dawit Jeong discovered that Apache HTTP Server had an HTTP response splitting vulnerability in multiple modules when used with untrusted or compromised backend servers. An attacker could possibly use this issue to inject arbitrary HTTP headers. (CVE-2026-33523)
Elhanan Haenel discovered that Apache HTTP Server incorrectly handled certain memory operations in modproxyajp. A remote attacker could possibly use this issue to cause Apache HTTP Server to crash, resulting in a denial of service. (CVE-2026-33857)
Tianshuo Han and Jérôme Djouder discovered that Apache HTTP Server incorrectly handled certain string operations in modproxyajp. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-34032)
Elhanan Haenel discovered that Apache HTTP Server incorrectly handled certain memory operations in modproxyajp. A remote attacker could use this issue to cause Apache HTTP Server to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2026-34059)
- References
-
- https://ubuntu.com/security/notices/USN-8239-1
- https://ubuntu.com/security/CVE-2026-23918
- https://ubuntu.com/security/CVE-2026-24072
- https://ubuntu.com/security/CVE-2026-28780
- https://ubuntu.com/security/CVE-2026-29168
- https://ubuntu.com/security/CVE-2026-29169
- https://ubuntu.com/security/CVE-2026-33006
- https://ubuntu.com/security/CVE-2026-33007
- https://ubuntu.com/security/CVE-2026-33523
- https://ubuntu.com/security/CVE-2026-33857
- https://ubuntu.com/security/CVE-2026-34032
- https://ubuntu.com/security/CVE-2026-34059
Affected packages
Ubuntu:22.04:LTS / apache2
Package
- Name
- apache2
- Purl
- pkg:deb/ubuntu/apache2?arch=source&distro=jammy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.4.52-1ubuntu4.20
Affected versions
2.*
2.4.48-3.1ubuntu3
2.4.48-3.1ubuntu4
2.4.51-2ubuntu1
2.4.52-1ubuntu1
2.4.52-1ubuntu2
2.4.52-1ubuntu4
2.4.52-1ubuntu4.1
2.4.52-1ubuntu4.2
2.4.52-1ubuntu4.3
2.4.52-1ubuntu4.4
2.4.52-1ubuntu4.5
2.4.52-1ubuntu4.6
2.4.52-1ubuntu4.7
2.4.52-1ubuntu4.8
2.4.52-1ubuntu4.9
2.4.52-1ubuntu4.10
2.4.52-1ubuntu4.11
2.4.52-1ubuntu4.12
2.4.52-1ubuntu4.13
2.4.52-1ubuntu4.14
2.4.52-1ubuntu4.15
2.4.52-1ubuntu4.16
2.4.52-1ubuntu4.18
2.4.52-1ubuntu4.19
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_version": "2.4.52-1ubuntu4.20",
"binary_name": "apache2"
},
{
"binary_version": "2.4.52-1ubuntu4.20",
"binary_name": "apache2-bin"
},
{
"binary_version": "2.4.52-1ubuntu4.20",
"binary_name": "apache2-data"
},
{
"binary_version": "2.4.52-1ubuntu4.20",
"binary_name": "apache2-suexec-custom"
},
{
"binary_version": "2.4.52-1ubuntu4.20",
"binary_name": "apache2-suexec-pristine"
},
{
"binary_version": "2.4.52-1ubuntu4.20",
"binary_name": "apache2-utils"
},
{
"binary_version": "2.4.52-1ubuntu4.20",
"binary_name": "libapache2-mod-md"
},
{
"binary_version": "2.4.52-1ubuntu4.20",
"binary_name": "libapache2-mod-proxy-uwsgi"
}
]
}
Database specific
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8239-1.json"
cves_map
{
"ecosystem": "Ubuntu:22.04:LTS",
"cves": [
{
"id": "CVE-2026-24072",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
},
{
"id": "CVE-2026-28780",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-29168",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-29169",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-33006",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-33007",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-33523",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-33857",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-34032",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-34059",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
{
"type": "Ubuntu",
"score": "low"
}
]
}
]
}
Ubuntu:24.04:LTS / apache2
Package
- Name
- apache2
- Purl
- pkg:deb/ubuntu/apache2?arch=source&distro=noble
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.4.58-1ubuntu8.12
Affected versions
2.*
2.4.57-2ubuntu2
2.4.57-2ubuntu3
2.4.58-1ubuntu1
2.4.58-1ubuntu2
2.4.58-1ubuntu6
2.4.58-1ubuntu7
2.4.58-1ubuntu8
2.4.58-1ubuntu8.1
2.4.58-1ubuntu8.2
2.4.58-1ubuntu8.3
2.4.58-1ubuntu8.4
2.4.58-1ubuntu8.5
2.4.58-1ubuntu8.6
2.4.58-1ubuntu8.7
2.4.58-1ubuntu8.8
2.4.58-1ubuntu8.10
2.4.58-1ubuntu8.11
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_version": "2.4.58-1ubuntu8.12",
"binary_name": "apache2"
},
{
"binary_version": "2.4.58-1ubuntu8.12",
"binary_name": "apache2-bin"
},
{
"binary_version": "2.4.58-1ubuntu8.12",
"binary_name": "apache2-data"
},
{
"binary_version": "2.4.58-1ubuntu8.12",
"binary_name": "apache2-suexec-custom"
},
{
"binary_version": "2.4.58-1ubuntu8.12",
"binary_name": "apache2-suexec-pristine"
},
{
"binary_version": "2.4.58-1ubuntu8.12",
"binary_name": "apache2-utils"
},
{
"binary_version": "2.4.58-1ubuntu8.12",
"binary_name": "libapache2-mod-md"
},
{
"binary_version": "2.4.58-1ubuntu8.12",
"binary_name": "libapache2-mod-proxy-uwsgi"
}
]
}
Database specific
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8239-1.json"
cves_map
{
"ecosystem": "Ubuntu:24.04:LTS",
"cves": [
{
"id": "CVE-2026-24072",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
},
{
"id": "CVE-2026-28780",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-29168",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-29169",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-33006",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-33007",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-33523",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-33857",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-34032",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-34059",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
{
"type": "Ubuntu",
"score": "low"
}
]
}
]
}
Ubuntu:25.10 / apache2
Package
- Name
- apache2
- Purl
- pkg:deb/ubuntu/apache2?arch=source&distro=questing
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.4.64-1ubuntu3.4
Affected versions
2.*
2.4.63-1ubuntu1
2.4.63-1ubuntu3
2.4.64-1ubuntu2
2.4.64-1ubuntu3
2.4.64-1ubuntu3.2
2.4.64-1ubuntu3.3
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_version": "2.4.64-1ubuntu3.4",
"binary_name": "apache2"
},
{
"binary_version": "2.4.64-1ubuntu3.4",
"binary_name": "apache2-bin"
},
{
"binary_version": "2.4.64-1ubuntu3.4",
"binary_name": "apache2-data"
},
{
"binary_version": "2.4.64-1ubuntu3.4",
"binary_name": "apache2-suexec-custom"
},
{
"binary_version": "2.4.64-1ubuntu3.4",
"binary_name": "apache2-suexec-pristine"
},
{
"binary_version": "2.4.64-1ubuntu3.4",
"binary_name": "apache2-utils"
}
]
}
Database specific
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8239-1.json"
cves_map
{
"ecosystem": "Ubuntu:25.10",
"cves": [
{
"id": "CVE-2026-24072",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
},
{
"id": "CVE-2026-28780",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-29168",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-29169",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-33006",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-33007",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-33523",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-33857",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-34032",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-34059",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
{
"type": "Ubuntu",
"score": "low"
}
]
}
]
}
Ubuntu:26.04:LTS / apache2
Package
- Name
- apache2
- Purl
- pkg:deb/ubuntu/apache2?arch=source&distro=resolute
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.4.66-2ubuntu2.1
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_version": "2.4.66-2ubuntu2.1",
"binary_name": "apache2"
},
{
"binary_version": "2.4.66-2ubuntu2.1",
"binary_name": "apache2-bin"
},
{
"binary_version": "2.4.66-2ubuntu2.1",
"binary_name": "apache2-data"
},
{
"binary_version": "2.4.66-2ubuntu2.1",
"binary_name": "apache2-suexec-custom"
},
{
"binary_version": "2.4.66-2ubuntu2.1",
"binary_name": "apache2-suexec-pristine"
},
{
"binary_version": "2.4.66-2ubuntu2.1",
"binary_name": "apache2-utils"
}
]
}
Database specific
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8239-1.json"
cves_map
{
"ecosystem": "Ubuntu:26.04:LTS",
"cves": [
{
"id": "CVE-2026-23918",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
},
{
"type": "Ubuntu",
"score": "high"
}
]
},
{
"id": "CVE-2026-24072",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
},
{
"id": "CVE-2026-28780",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-29168",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-29169",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-33006",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-33007",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-33523",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-33857",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-34032",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
{
"type": "Ubuntu",
"score": "low"
}
]
},
{
"id": "CVE-2026-34059",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
{
"type": "Ubuntu",
"score": "low"
}
]
}
]
}