CVE-2026-29169

High

Published: 04 May 2026

Published

04 May 2026

Modified

05 May 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0036 58.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29169 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Apache Http Server. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 41.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

NULL dereference in public Apache mod_dav_lock allows unauthenticated remote request to crash the server process, directly enabling T1499.004 Application or System Exploitation for DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs. The only known use-case for mod_dav_lock was…

mod_dav_svn from Apache Subversion earlier than version 1.2.0. Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock.

Deeper analysisAI

CVE-2026-29169 is a NULL pointer dereference vulnerability in the mod_dav_lock module of Apache HTTP Server versions 2.4.66 and earlier. This flaw occurs when processing a malicious request, potentially leading to a server crash. The mod_dav_lock module is not used internally by mod_dav or mod_dav_fs, with its only known use case being mod_dav_svn from Apache Subversion versions earlier than 1.2.0. The vulnerability is classified under CWE-476 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction by sending a specially crafted request to a server with mod_dav_lock enabled. Successful exploitation results in a denial-of-service condition through server crashes, disrupting availability without impacting confidentiality or integrity.

The official Apache HTTP Server security advisory recommends upgrading to version 2.4.66, which addresses the issue, or removing the mod_dav_lock module entirely. Additional details are available in the Apache vulnerabilities page at https://httpd.apache.org/security/vulnerabilities_24.html and the oss-security mailing list announcement at http://www.openwall.com/lists/oss-security/2026/05/04/20.

Details

CWE(s): CWE-476

Affected Products

apache

http server

≤ 2.4.67

CVEs Like This One

CVE-2026-29168Same product: Apache Http Server

CVE-2025-53477Same vendor: Apache

CVE-2026-34059Same product: Apache Http Server

CVE-2026-23918Same product: Apache Http Server

CVE-2026-24072Same product: Apache Http Server

CVE-2025-48431Same vendor: Apache

CVE-2026-42402Same vendor: Apache

CVE-2026-42403Same vendor: Apache

CVE-2026-41636Same vendor: Apache

CVE-2025-23184Same vendor: Apache

References

https://httpd.apache.org/security/vulnerabilities_24.html
Vendor Advisory · security@apache.org
http://www.openwall.com/lists/oss-security/2026/05/04/20
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
http://www.openwall.com/lists/oss-security/2026/05/05/12
af854a3a-2127-422b-91ae-364da2661108