Cyber Resilience

CVE-2026-29168

High

Published: 05 May 2026

Published
05 May 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0005 15.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29168 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Apache Http Server. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-29168 is an Allocation of Resources Without Limits or Throttling vulnerability (CWE-770) in the mod_md module of the Apache HTTP Server, specifically triggered by OCSP response data. This flaw affects Apache HTTP Server versions from 2.4.30 through 2.4.66. It has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and low attack complexity.

A remote, unauthenticated attacker can exploit this vulnerability over the network without user interaction by sending crafted OCSP responses to the mod_md module. Successful exploitation allows partial impacts on confidentiality, integrity, and availability, potentially leading to resource exhaustion such as excessive memory allocation, which could result in denial-of-service conditions or minor data disruptions on affected servers.

The official Apache HTTP Server security advisory recommends upgrading to version 2.4.67, which addresses the issue. Additional details are available in the Apache vulnerabilities page at https://httpd.apache.org/security/vulnerabilities_24.html and the oss-security mailing list announcement at http://www.openwall.com/lists/oss-security/2026/05/05/6.

EU & UK References

Vulnerability details

Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability in public-facing Apache mod_md allows unauthenticated remote exploitation via crafted OCSP responses to trigger resource exhaustion/DoS (CWE-770), directly mapping to T1190 (Exploit Public-Facing Application) for initial access and T1499.004 (Application or System Exploitation) for endpoint DoS impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34059Same product: Apache Http Server
CVE-2026-23918Same product: Apache Http Server
CVE-2026-29169Same product: Apache Http Server
CVE-2026-24072Same product: Apache Http Server
CVE-2026-41284Same vendor: Apache
CVE-2024-37358Same vendor: Apache
CVE-2026-41604Same vendor: Apache
CVE-2026-39304Same vendor: Apache
CVE-2026-41605Same vendor: Apache
CVE-2025-66675Same vendor: Apache

Affected Assets

apache
http server
2.4.30 — 2.4.67

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires mechanisms to limit or throttle resource allocation, preventing the unbounded memory growth from crafted OCSP responses in mod_md.

prevent

Mandates denial-of-service protections that explicitly address network-exploitable resource exhaustion attacks matching this OCSP-triggered flaw.

prevent

Requires validation of externally supplied data (OCSP responses) to reject malformed or excessively large inputs before they trigger unbounded allocation.

References