This Red Hat security advisory addresses six vulnerabilities in the Apache HTTP Server 2.4 package, including CVE-2025-53020 (HTTP/2 DoS by memory increase), CVE-2026-34059 (heap-based buffer over-read and memory disclosure in mod_proxy_ajp), CVE-2026-34032 (heap-based buffer over-read due to missing null-termination check in mod_proxy_ajp), CVE-2026-33857 (off-by-one out-of-bounds reads in mod_proxy_ajp), CVE-2026-33007 (NULL pointer dereference causing child process crash in mod_authn_socache), and CVE-2026-28780 (arbitrary code execution via heap-based buffer overflow in mod_proxy_ajp). These vulnerabilities could lead to denial of service, information disclosure, process crashes, or remote code execution. The advisory provides updated packages for Red Hat Enterprise Linux 8 on multiple architectures to remediate these issues.

The vulnerabilities collectively pose risks including denial of service through memory exhaustion, information disclosure via buffer over-reads, process crashes due to NULL pointer dereferences, and potentially arbitrary code execution through heap-based buffer overflow. These impacts could affect the availability, confidentiality, and integrity of systems running the affected Apache HTTP Server versions on Red Hat Enterprise Linux 8. No known active exploitation has been reported.

Red Hat has released updated httpd packages for Red Hat Enterprise Linux 8 that address these vulnerabilities. Users should apply the security update as soon as possible following Red Hat's official guidance at https://access.redhat.com/articles/11258. Since this is an official fix, applying the update fully mitigates the described vulnerabilities. No additional immediate mitigation steps are required beyond patching.