Ubuntu published security notice USN-8516-1 on July 8, 2026, patching 12 Apache HTTP Server vulnerabilities across Ubuntu 22.04 LTS, 24.04 LTS, and 26.04 LTS. The Apache vulnerabilities range from denial of service to remote code execution and information disclosure. Two of the flaws allow an attacker to potentially execute arbitrary code on affected systems.
If you are running Apache HTTP Server on Ubuntu, a standard system update is all that is needed to fix all 12 issues.
How To Check If Your Apache Version Is Affected
Before updating, confirm your current apache2 version:
apache2 -v
The affected versions are:
| Ubuntu Release | Affected Version | Fixed Version |
|---|---|---|
| 26.04 LTS (Resolute Raccoon) | Earlier than 2.4.66-2ubuntu2.4 | 2.4.66-2ubuntu2.4 |
| 24.04 LTS (Noble Numbat) | Earlier than 2.4.58-1ubuntu8.15 | 2.4.58-1ubuntu8.15 |
| 22.04 LTS (Jammy Jellyfish) | Earlier than 2.4.52-1ubuntu4.23 | 2.4.52-1ubuntu4.23 |
If you are on Ubuntu 22.04 and running apache2 version 2.4.52, you are on an affected version – the fix is in the updated 2.4.52-1ubuntu4.23 package.
Apache CVEs List 2026 (USN-8516-1)
Here is the full list of Apache vulnerabilities patched in this notice:
| CVE | Module | Impact |
|---|---|---|
| CVE-2026-29167 | mod_ldap | DoS or remote code execution via memory mishandling in per-directory config |
| CVE-2026-29170 | mod_proxy_ftp | XSS via malicious FTP directory listing HTML generation |
| CVE-2026-34355 | mod_proxy_html | DoS via content from untrusted backend |
| CVE-2026-34356 | Core (ProxyPassReverseCookie) | DoS via malicious backend server |
| CVE-2026-42535 | mod_dav_fs | Authenticated user can manipulate WebDAV property databases or cause DoS |
| CVE-2026-42536 | mod_xml2enc | DoS via content from untrusted backend |
| CVE-2026-43951 | Core (response headers) | Information disclosure via multi-language content-language header handling |
| CVE-2026-44119 | Core (.htaccess) | Local information disclosure via unrestricted file functions in expressions |
| CVE-2026-44185 | mod_ssl | Information disclosure or DoS via attacker-controlled OCSP responses |
| CVE-2026-44186 | mod_proxy_ftp | DoS via responses from attacker-controlled backend FTP server |
| CVE-2026-44631 | Core (regex) | DoS or remote code execution via crafted regular expressions in server config |
| CVE-2026-48913 | mod_http2 | DoS via use-after-free when file handles are exhausted |
Critical Apache Vulnerabilities in This Batch
Two vulnerabilities in this notice stand out as the most severe:
CVE-2026-29167 (CVSS v3.0 Score: 9.8 Critical)
A flaw in how mod_ldap processes per-directory configurations could allow an attacker to crash the server or execute arbitrary code. If your Apache setup uses LDAP-based authentication, this is particularly relevant.
CVE-2026-44631 (CVSS v3.0 Score: 9.8 Critical)
Malformed regular expressions in server configuration could allow arbitrary code execution or denial of service. While exploiting this typically requires access to server configuration, environments with user-controlled config inputs (shared hosting, certain proxies) are at higher risk.
How to Fix Apache HTTP Server Vulnerabilities on Ubuntu
The fix for all 12 apache vulnerabilities is a standard system update, which you can do using the following command.
sudo apt update && sudo apt upgrade
After the update, confirm the fixed package version is installed:
apt-cache policy apache2
Then restart Apache to apply the changes:
sudo systemctl restart apache2