oss-security - CVE-2026-29169: Apache HTTP Server: mod_dav

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <e6a48645-bb78-c3df-755f-56456a8e58f3@apache.org>
Date: Mon, 04 May 2026 14:15:25 +0000
From: Eric Covener <covener@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-29169: Apache HTTP Server: mod_dav_lock indirect lock
 crash 

Severity: low 

Affected versions:

- Apache HTTP Server through 2.4.66

Description:

A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs.

The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0.

Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock.

Credit:

Pavel Kohout, Aisle Research, Aisle.com (finder)

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-29169

Timeline:

2026-03-04: Report received
2026-05-04: 2.4.67 released
2026-05-04: fixed in 2.4.x by r1933354

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.