Red Hat Product Errata RHSA-2026:21391 - Security Advisory Issued: 2026-05-27 Updated: 2026-05-27 RHSA-2026:21391 - Security Advisory Overview Updated Packages Synopsis Important: httpd security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for httpd is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix(es): httpd: mod_proxy_ajp: heap-based buffer over-read and memory disclosure in ajp_parse_data() (CVE-2026-34059) httpd: mod_proxy_ajp: heap-based buffer over-read due to missing null-termination check (CVE-2026-34032) httpd: mod_proxy_ajp: off-by-one out-of-bounds reads in AJP getter functions (CVE-2026-33857) httpd: mod_authn_socache: NULL pointer dereference can cause a child process crash (CVE-2026-33007) Apache HTTP Server: mod_proxy_ajp: Apache HTTP Server mod_proxy_ajp: Arbitrary code execution via heap-based buffer overflow (CVE-2026-28780) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 9 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.8 x86_64 Red Hat Enterprise Linux for IBM z Systems 9 s390x Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.8 s390x Red Hat Enterprise Linux for Power, little endian 9 ppc64le Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.8 ppc64le Red Hat Enterprise Linux for ARM 64 9 aarch64 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.8 aarch64 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.8 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.8 x86_64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.8 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.8 s390x Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.8 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.8 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.8 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.8 s390x Fixes BZ - 2464940 - CVE-2026-34059 httpd: mod_proxy_ajp: heap-based buffer over-read and memory disclosure in ajp_parse_data() BZ - 2464952 - CVE-2026-34032 httpd: mod_proxy_ajp: heap-based buffer over-read due to missing null-termination check BZ - 2464953 - CVE-2026-33857 httpd: mod_proxy_ajp: off-by-one out-of-bounds reads in AJP getter functions BZ - 2465299 - CVE-2026-33007 httpd: mod_authn_socache: NULL pointer dereference can cause a child process crash BZ - 2466913 - CVE-2026-28780 Apache HTTP Server: mod_proxy_ajp: Apache HTTP Server mod_proxy_ajp: Arbitrary code execution via heap-based buffer overflow CVEs CVE-2026-28780 CVE-2026-33007 CVE-2026-33857 CVE-2026-34032 CVE-2026-34059 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 9 SRPM httpd-2.4.62-13.el9_8.1.src.rpm SHA-256: 683bc09163c83e89d3103922d1706ad96f945537242c3ca90c3cd7ed69d5735a x86_64 httpd-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: 740fda2e2deb4470fd60ada224e599277d8c69b96755cc2c92f7cbd31d4e9349 httpd-core-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: ac566b5bebd5c5beeb3f40f69abd0d07b65c595074b7fd258c08ec76b660814e httpd-core-debuginfo-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: 08b12b66fd02b354052b3a94540a82d4a2e6d7d58b153298ef382516b492f115 httpd-debuginfo-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: 5fc2c88e1d54be5fe2ce53d880849ed5da581ab62060ebbae3b199da46833144 httpd-debugsource-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: 94675471dd9388a5176c191805d754b9dc32eb36d4dbcf1f5a39160887f3ca52 httpd-devel-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: eaa53f22e64997d8650eb6a2890f0df5f30aa354064892ccc8d2420574389e91 httpd-filesystem-2.4.62-13.el9_8.1.noarch.rpm SHA-256: 9dbb32d1d652d36b107df49642aaa16b362358ae17baa9705b161fb7335a9230 httpd-manual-2.4.62-13.el9_8.1.noarch.rpm SHA-256: 1a8c80997afa788969ab9cccce2cf762abb168f37989d33ec27cef00beee4ae7 httpd-tools-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: a54bb9dd5503c35b1d3a33c4d1e242e1edd733ab2a3167be1a95ccf8c213549f httpd-tools-debuginfo-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: 790af498d657a4bfd54753ceb5656f3b72366647d779acc8216c0be45a5ad34f mod_ldap-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: 2ca817fdc71b82f87dd5c0b912c260e23fdd565b8883a75f731ec938872b1c25 mod_ldap-debuginfo-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: 16d703be0c0698c5cb5529d4a0946d39bc88b723a517b8c3716415c79b24c92f mod_lua-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: 9f66ab60adb74949d9fa37f943f309253a3ebb69a9f1ef8856bf9e2afa044f62 mod_lua-debuginfo-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: 4c77a0e4b3b7ff47b84d89f2b0e9e66be9d9aa004db20b3fbf28bc2a7f3668aa mod_proxy_html-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: b0d0e27285cb43df6dca50c0b0253ea596423a7e99791cc8820e051a4cbb92c9 mod_proxy_html-debuginfo-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: b77769f8047309b513da3a979b95ec4267780b37da51311000c8d80f0d1280fb mod_session-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: eea88864a7196e85280f8e168719485115e3d7ad7545a9d143c60b3f8299b772 mod_session-debuginfo-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: 6f5a0cdd3b9d2cab99a14f6a166d86ad4f54dbaab0f22590f192884449dd15b0 mod_ssl-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: 827b3be542e338babbacf2058671a4a197435a8db12cbb560bcefcc0e8baf97c mod_ssl-debuginfo-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: d01278d9cb7526f714e6c0e67c94d29c59341a54a0150386dde48e2fe54aae71 Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.8 SRPM httpd-2.4.62-13.el9_8.1.src.rpm SHA-256: 683bc09163c83e89d3103922d1706ad96f945537242c3ca90c3cd7ed69d5735a x86_64 httpd-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: 740fda2e2deb4470fd60ada224e599277d8c69b96755cc2c92f7cbd31d4e9349 httpd-core-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: ac566b5bebd5c5beeb3f40f69abd0d07b65c595074b7fd258c08ec76b660814e httpd-core-debuginfo-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: 08b12b66fd02b354052b3a94540a82d4a2e6d7d58b153298ef382516b492f115 httpd-debuginfo-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: 5fc2c88e1d54be5fe2ce53d880849ed5da581ab62060ebbae3b199da46833144 httpd-debugsource-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: 94675471dd9388a5176c191805d754b9dc32eb36d4dbcf1f5a39160887f3ca52 httpd-devel-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: eaa53f22e64997d8650eb6a2890f0df5f30aa354064892ccc8d2420574389e91 httpd-filesystem-2.4.62-13.el9_8.1.noarch.rpm SHA-256: 9dbb32d1d652d36b107df49642aaa16b362358ae17baa9705b161fb7335a9230 httpd-manual-2.4.62-13.el9_8.1.noarch.rpm SHA-256: 1a8c80997afa788969ab9cccce2cf762abb168f37989d33ec27cef00beee4ae7 httpd-tools-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: a54bb9dd5503c35b1d3a33c4d1e242e1edd733ab2a3167be1a95ccf8c213549f httpd-tools-debuginfo-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: 790af498d657a4bfd54753ceb5656f3b72366647d779acc8216c0be45a5ad34f mod_ldap-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: 2ca817fdc71b82f87dd5c0b912c260e23fdd565b8883a75f731ec938872b1c25 mod_ldap-debuginfo-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: 16d703be0c0698c5cb5529d4a0946d39bc88b723a517b8c3716415c79b24c92f mod_lua-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: 9f66ab60adb74949d9fa37f943f309253a3ebb69a9f1ef8856bf9e2afa044f62 mod_lua-debuginfo-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: 4c77a0e4b3b7ff47b84d89f2b0e9e66be9d9aa004db20b3fbf28bc2a7f3668aa mod_proxy_html-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: b0d0e27285cb43df6dca50c0b0253ea596423a7e99791cc8820e051a4cbb92c9 mod_proxy_html-debuginfo-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: b77769f8047309b513da3a979b95ec4267780b37da51311000c8d80f0d1280fb mod_session-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: eea88864a7196e85280f8e168719485115e3d7ad7545a9d143c60b3f8299b772 mod_session-debuginfo-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: 6f5a0cdd3b9d2cab99a14f6a166d86ad4f54dbaab0f22590f192884449dd15b0 mod_ssl-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: 827b3be542e338babbacf2058671a4a197435a8db12cbb560bcefcc0e8baf97c mod_ssl-debuginfo-2.4.62-13.el9_8.1.x86_64.rpm SHA-256: d01278d9cb7526f714e6c0e67c94d29c59341a54a0150386dde48e2fe54aae71 Red Hat Enterprise Linux for IBM z Systems 9 SRPM httpd-2.4.62-13.el9_8.1.src.rpm SHA-256: 683bc09163c83e89d3103922d1706ad96f945537242c3ca90c3cd7ed69d5735a s390x httpd-2.4.62-13.el9_8.1.s390x.rpm SHA-256: cd7aa7fd2beed5d4d8b821a3a79ca869c0d4611910367dbdaae61cce056b1102 httpd-core-2.4.62-13.el9_8.1.s390x.rpm SHA-256: 6db2a9e474eab28818394902492b3b540cdef9bce814b1757f11119e3c1b6d99 httpd-core-debuginfo-2.4.62-13.el9_8.1.s390x.rpm SHA-256: 458cd56983fc969315625f2b1d29087fd51772af13bc79116b1a89412e9628e3 httpd-debuginfo-2.4.62-13.el9_8.1.s390x.rpm SHA-256: 012f7aac6897b2ee489b5f35f36700ff34ac8e7e9d7fccbb4dd1f401b51d7785 httpd-debugsource-2.4.62-13.el9_8.1.s390x.rpm SHA-256: 75a6729e4037e59f3a6ec52efb6c6a5f76f5d5fe6e80581c32424ed00cd50740 httpd-devel-2.4.62-13.el9_8.1.s390x.rpm SHA-256: 1877b5af908696842811c7bb8232521a0fc3c60ab18fbce0a6a70985036dca8b httpd-filesystem-2.4.62-13.el9_8.1.noarch.rpm SHA-256: 9dbb32d1d652d36b107df49642aaa16b362358ae17baa9705b161fb7335a9230 httpd-manual-2.4.62-13.el9_8.1.noarch.rpm SHA-256: 1a8c80997afa788969ab9cccce2cf762abb168f37989d33ec27cef00beee4ae7 httpd-tools-2.4.62-13.el9_8.1.s390x.rpm SHA-256: 68383eadc9b6a62979577037da4d4