CVE-2026-29169
Published: 04 May 2026
Description
A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs. The only known use-case for mod_dav_lock was…
more
mod_dav_svn from Apache Subversion earlier than version 1.2.0. Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock.
Security SummaryAI
CVE-2026-29169 is a NULL pointer dereference vulnerability in the mod_dav_lock module of Apache HTTP Server versions 2.4.66 and earlier. This flaw occurs when processing a malicious request, potentially leading to a server crash. The mod_dav_lock module is not used internally by mod_dav or mod_dav_fs, with its only known use case being mod_dav_svn from Apache Subversion versions earlier than 1.2.0. The vulnerability is classified under CWE-476 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction by sending a specially crafted request to a server with mod_dav_lock enabled. Successful exploitation results in a denial-of-service condition through server crashes, disrupting availability without impacting confidentiality or integrity.
The official Apache HTTP Server security advisory recommends upgrading to version 2.4.66, which addresses the issue, or removing the mod_dav_lock module entirely. Additional details are available in the Apache vulnerabilities page at https://httpd.apache.org/security/vulnerabilities_24.html and the oss-security mailing list announcement at http://www.openwall.com/lists/oss-security/2026/05/04/20.
Details
- CWE(s)