Apache HTTP Server 2.4.67 — TLCTC Decomposition of 11 CVEs

Context

The Apache HTTP Server project released 2.4.67 on 4 May 2026, closing 11 CVEs. CVE-2026-28780 was added to NVD on 5 May and is currently scored 9.8 by CISA-ADP enrichment as of 6 May. Apache's own severity ratings (important / moderate / low) differ from the CVSS-v3.1 values visible on NVD — those values mostly originate from CISA-ADP enrichment rather than from Apache's PSIRT.

Cause-side classification under TLCTC differs from the headline-driven reading. The terms "RCE", "privilege escalation", and "DoS" appearing in CVE descriptions are consequence labels — they describe the System Compromise pivot (SRE) or Data Risk Events (DRE) on the consequence side, not threat clusters. The cluster is determined by the generic vulnerability the threat exploits — and for proxy and consumer code paths, R-ROLE governs whether the host occupies server-role or client-role with respect to attacker-controlled input.

Summary Table

Cluster distribution: #2 ×5, #3 ×5, #6 ×1.
IAV-Yes (drive-by reachable): CVE-2026-29169, CVE-2026-33007, CVE-2026-33006.
No CVE in this batch is primarily #7. Where #7 could appear, it is a downstream R-EXEC step subsequent to #2 or #3 — never the cause-side cluster.

Per-Cluster Notes

#2 Exploiting Server (5)

These CVEs sit in code paths where Apache is the receiver of attacker-controlled HTTP requests, and the defect is in server-side request handling.

• CVE-2026-23918 — Double free in HTTP/2 connection handling (CWE-415). CVSS 8.8 reflects potential code execution, but the realised outcome depends on whether the heap-corruption primitive can be turned into R-EXEC. Without R-EXEC the direct effect is process crash, hence [DRE: Av]. With successful R-EXEC the chain extends as #2 → #7; the System Compromise pivot is implicit between the steps, not a path node. PR:L makes this not drive-by from the open internet.
• CVE-2026-24072 — Privilege management defect in module logic (CWE-269). "Privilege escalation" is consequence vocabulary; the cause is a server-side implementation flaw that fails to enforce the intended privilege boundary. The privilege transition itself is captured by the intra-system operator |[privilege][@htaccess-author→@httpd-user]|, not as a separate cluster.
• CVE-2026-29169 — Classic NULL-deref crash in mod_dav_lock (CWE-476). IAV-Yes (AV:N, PR:N, UI:N). Direct availability loss against any reachable instance with the module enabled.
• CVE-2026-33007 — NULL deref in mod_authn_socache (CWE-476). Same pattern as 29169; IAV-Yes.
• CVE-2026-33006 — Timing side-channel in mod_auth_digest (CWE-208). The digest comparison routine has an unintended observable timing property; this is a server-side code defect, not function abuse, hence #2 rather than #1. Per R-CRED, credential acquisition through this flaw maps to the enabling cluster (#2 with [DRE: C]); the subsequent presentation of derived or forged digest material for authentication is #4.

#3 Exploiting Client (5) — R-ROLE applied

All five sit in mod_proxy_ajp or in response-parsing paths where Apache consumes output from a backend. Per R-ROLE, the cluster is determined by position relative to attacker-controlled input — not by the daemon's runtime identity. When mod_proxy_ajp parses an AJP message, the AJP server's response is the input under attacker influence (under the assumption of a malicious or compromised backend), and Apache occupies client-role in that protocol leg. Memory-safety and parsing bugs in this code therefore classify as #3, not #2.

• CVE-2026-34059 — Buffer over-read consuming AJP backend response (CWE-126). Memory disclosure → [DRE: C].
• CVE-2026-33523 — Response splitting on a parsed status line from an untrusted backend (CWE-443). The direct effect is response-construction integrity loss, hence [DRE: I]. Downstream confidentiality impact (smuggled responses leaking data to subsequent clients via cache poisoning) is a chain effect that depends on the deployment topology and is not pre-asserted in the path.
• CVE-2026-34032 — Improper null termination plus OOB read on AJP-supplied strings (CWE-125, CWE-170).
• CVE-2026-33857 — OOB read on AJP backend input (CWE-125).
• CVE-2026-28780 — Heap-based buffer overflow on an AJP backend message (CWE-122). The most severe of the batch in raw CVSS terms (9.8). Without successful R-EXEC the realised effect is process crash ([DRE: Av]). With R-EXEC the chain extends #3 → #7; the System Compromise pivot is implicit between the steps, not a path node.

All five share an IAV-No precondition: a malicious or compromised AJP backend must be in scope. Operationally this is a chain condition — these CVEs are not internet-facing drive-by exposures; they are post-foothold or trust-boundary scenarios.

#6 Flooding Attack (1)

• CVE-2026-29168 — mod_md allocation without limits (CWE-770). The generic vulnerability is the absence of capacity bounds, not a memory or parser defect. The mechanism does not require a code flaw; it requires the legitimate code path to be invoked at scale via attacker-influenced OCSP material. Primary mapping is #6 + [DRE: Av].

Possible chained scenarios — flagged as inference, not assertion: if the OCSP responder traffic can be intercepted, a plausible enabler is #5 → #6; if a CA or responder in the trust chain is compromised, a plausible enabler is #10 → #6. Either way, the cause-side cluster of the vulnerability itself remains #6.

Semantic Muddles in the Source Reporting

1. "RCE", "Privilege Escalation", and "DoS" are consequence labels. They name the System Compromise pivot (SRE) or DRE outcomes, not threat clusters. CVE descriptions place them in the title slot where TLCTC requires the cause-side cluster. This batch contains zero CVEs with "RCE" as primary cluster — RCE appears only as a potential downstream effect of #2 or #3, contingent on R-EXEC, modelled as → #7.
2. CVSS scoring conflates cause and consequence. A 9.8 score and a 5.3 score can both be #3 (CVE-2026-28780 vs CVE-2026-33857). The score reflects exploitability and impact magnitude; it does not communicate cluster, R-ROLE, or chain conditions. CVSS-only triage will under-weight 28780's chain dependency (requires malicious backend) and over-weight 29169's likely availability-only outcome.
3. R-ROLE is invisible without the framework. Five CVEs in this batch — 28780, 33523, 33857, 34032, 34059 — would be misclassified as #2 by anyone reading "Apache HTTP Server" as "server" rather than tracing the data flow. The control surface for these is materially different: outbound trust hardening (mTLS to AJP backends, segmentation, backend authentication, anomaly monitoring on backend responses) rather than inbound request hardening (WAF, request normalisation, rate limiting).
4. No velocity context is offered. The article presents 11 CVEs as a flat list. Operationally, only the IAV-Yes subset (29169, 33007, 33006) is exploitable at VC-1 / VC-2 (mass-scanning, opportunistic). The IAV-No subset has lower velocity because it requires either authenticated context or backend compromise as a precondition. Patch-window risk concentrates on the three IAV-Yes CVEs.

Operational Reading

The 2.4.67 batch is structurally a balanced #2/#3 set with a single #6. The #2 set responds to inbound request-hardening controls and is the conventional Apache attack surface. The #3 set is not defensible by the same controls — it requires hardening the trust relationship with AJP backends. A defender who treats this entire patch round as "harden the front door" will leave the #3 surface untouched.

The patch closes all eleven, but the threat-model implications differ cluster-by-cluster: anyone running mod_proxy_ajp in front of a backend they don't fully control should treat the #3 group as a chain-vulnerability disclosure, not a perimeter issue.