Ubuntu Fixes Apache HTTP Server Vulnerabilities (2026)

Apache HTTP Server

Apache HTTP Server

Track EOL dates for all Apache HTTP Server versions.

View all versions →

Ubuntu published security notice USN-8516-1 on July 8, 2026, patching 12 Apache HTTP Server vulnerabilities across Ubuntu 22.04 LTS, 24.04 LTS, and 26.04 LTS. The Apache vulnerabilities range from denial of service to remote code execution and information disclosure. Two of the flaws allow an attacker to potentially execute arbitrary code on affected systems.

If you are running Apache HTTP Server on Ubuntu, a standard system update is all that is needed to fix all 12 issues.

How To Check If Your Apache Version Is Affected

Before updating, confirm your current apache2 version:

apache2 -v

The affected versions are:

Ubuntu Release Affected Version Fixed Version
26.04 LTS (Resolute Raccoon) Earlier than 2.4.66-2ubuntu2.4 2.4.66-2ubuntu2.4
24.04 LTS (Noble Numbat) Earlier than 2.4.58-1ubuntu8.15 2.4.58-1ubuntu8.15
22.04 LTS (Jammy Jellyfish) Earlier than 2.4.52-1ubuntu4.23 2.4.52-1ubuntu4.23

If you are on Ubuntu 22.04 and running apache2 version 2.4.52, you are on an affected version – the fix is in the updated 2.4.52-1ubuntu4.23 package.

Apache CVEs List 2026 (USN-8516-1)

Here is the full list of Apache vulnerabilities patched in this notice:

CVE Module Impact
CVE-2026-29167 mod_ldap DoS or remote code execution via memory mishandling in per-directory config
CVE-2026-29170 mod_proxy_ftp XSS via malicious FTP directory listing HTML generation
CVE-2026-34355 mod_proxy_html DoS via content from untrusted backend
CVE-2026-34356 Core (ProxyPassReverseCookie) DoS via malicious backend server
CVE-2026-42535 mod_dav_fs Authenticated user can manipulate WebDAV property databases or cause DoS
CVE-2026-42536 mod_xml2enc DoS via content from untrusted backend
CVE-2026-43951 Core (response headers) Information disclosure via multi-language content-language header handling
CVE-2026-44119 Core (.htaccess) Local information disclosure via unrestricted file functions in expressions
CVE-2026-44185 mod_ssl Information disclosure or DoS via attacker-controlled OCSP responses
CVE-2026-44186 mod_proxy_ftp DoS via responses from attacker-controlled backend FTP server
CVE-2026-44631 Core (regex) DoS or remote code execution via crafted regular expressions in server config
CVE-2026-48913 mod_http2 DoS via use-after-free when file handles are exhausted

Critical Apache Vulnerabilities in This Batch

Two vulnerabilities in this notice stand out as the most severe:

CVE-2026-29167 (CVSS v3.0 Score: 9.8 Critical)

A flaw in how mod_ldap processes per-directory configurations could allow an attacker to crash the server or execute arbitrary code. If your Apache setup uses LDAP-based authentication, this is particularly relevant.

CVE-2026-44631 (CVSS v3.0 Score: 9.8 Critical)

Malformed regular expressions in server configuration could allow arbitrary code execution or denial of service. While exploiting this typically requires access to server configuration, environments with user-controlled config inputs (shared hosting, certain proxies) are at higher risk.

How to Fix Apache HTTP Server Vulnerabilities on Ubuntu

The fix for all 12 apache vulnerabilities is a standard system update, which you can do using the following command.

sudo apt update && sudo apt upgrade

After the update, confirm the fixed package version is installed:

apt-cache policy apache2

Then restart Apache to apply the changes:

sudo systemctl restart apache2

References

Tagged: Security Notices apache cve httpd security ubuntu vulnerabilities