{"id":"DEBIAN-CVE-2026-29169","details":"A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs.  The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0.  Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock.","modified":"2026-05-08T11:00:39.223804Z","published":"2026-05-04T15:16:03.720Z","upstream":["CVE-2026-29169"],"references":[{"type":"ADVISORY","url":"https://security-tracker.debian.org/tracker/CVE-2026-29169"}],"affected":[{"package":{"name":"apache2","ecosystem":"Debian:11","purl":"pkg:deb/debian/apache2?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.67-1~deb11u1"}]}],"versions":["2.4.48-3.1","2.4.48-3.1+deb11u1","2.4.48-4","2.4.49-1","2.4.49-1~bpo10+1","2.4.49-1~deb11u1","2.4.49-1~deb11u2","2.4.49-1~deb11u3","2.4.49-2","2.4.49-3","2.4.49-4","2.4.50-1","2.4.50-1~deb11u1","2.4.51-1","2.4.51-1~bpo10+1","2.4.51-1~bpo10+2","2.4.51-1~deb11u1","2.4.51-2","2.4.52-1","2.4.52-1~bpo10+1","2.4.52-1~deb11u1","2.4.52-1~deb11u2","2.4.52-2","2.4.52-3","2.4.53-1","2.4.53-1~deb11u1","2.4.53-2","2.4.53-2~bpo10+1","2.4.54-1","2.4.54-1~deb11u1","2.4.54-2","2.4.54-3","2.4.54-4","2.4.54-5","2.4.55-1","2.4.56-1","2.4.56-1~deb11u1","2.4.56-1~deb11u2","2.4.56-2","2.4.57-1","2.4.57-2","2.4.57-3","2.4.58-1","2.4.59-1","2.4.59-1~deb10u1","2.4.59-1~deb11u1","2.4.59-1~deb12u1","2.4.59-2","2.4.60-1","2.4.61-1","2.4.61-1~deb11u1","2.4.61-1~deb12u1","2.4.62-1","2.4.62-1~deb11u1","2.4.62-1~deb11u2","2.4.62-1~deb12u1","2.4.62-1~deb12u2","2.4.62-2","2.4.62-3","2.4.62-4","2.4.62-5","2.4.62-6","2.4.63-1","2.4.64-1","2.4.65-1","2.4.65-1~deb11u1","2.4.65-1~deb12u1","2.4.65-2","2.4.65-3","2.4.66-1","2.4.66-1~deb11u1","2.4.66-1~deb12u1","2.4.66-1~deb12u2","2.4.66-1~deb13u1","2.4.66-1~deb13u2","2.4.66-2","2.4.66-3","2.4.66-4","2.4.66-5","2.4.66-6","2.4.66-7","2.4.66-8"],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-29169.json"}},{"package":{"name":"apache2","ecosystem":"Debian:12","purl":"pkg:deb/debian/apache2?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.67-1~deb12u2"}]}],"versions":["2.4.57-2","2.4.57-3","2.4.58-1","2.4.59-1","2.4.59-1~deb10u1","2.4.59-1~deb11u1","2.4.59-1~deb12u1","2.4.59-2","2.4.60-1","2.4.61-1","2.4.61-1~deb11u1","2.4.61-1~deb12u1","2.4.62-1","2.4.62-1~deb11u1","2.4.62-1~deb11u2","2.4.62-1~deb12u1","2.4.62-1~deb12u2","2.4.62-2","2.4.62-3","2.4.62-4","2.4.62-5","2.4.62-6","2.4.63-1","2.4.64-1","2.4.65-1","2.4.65-1~deb11u1","2.4.65-1~deb12u1","2.4.65-2","2.4.65-3","2.4.66-1","2.4.66-1~deb11u1","2.4.66-1~deb12u1","2.4.66-1~deb12u2","2.4.66-1~deb13u1","2.4.66-1~deb13u2","2.4.66-2","2.4.66-3","2.4.66-4","2.4.66-5","2.4.66-6","2.4.66-7","2.4.66-8","2.4.67-1~deb11u1","2.4.67-1~deb12u1"],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-29169.json"}},{"package":{"name":"apache2","ecosystem":"Debian:13","purl":"pkg:deb/debian/apache2?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.67-1~deb13u2"}]}],"versions":["2.4.65-2","2.4.65-3","2.4.66-1","2.4.66-1~deb11u1","2.4.66-1~deb12u1","2.4.66-1~deb12u2","2.4.66-1~deb13u1","2.4.66-1~deb13u2","2.4.66-2","2.4.66-3","2.4.66-4","2.4.66-5","2.4.66-6","2.4.66-7","2.4.66-8","2.4.67-1~deb11u1","2.4.67-1~deb12u1","2.4.67-1~deb12u2","2.4.67-1~deb13u1"],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-29169.json"}},{"package":{"name":"apache2","ecosystem":"Debian:14","purl":"pkg:deb/debian/apache2?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.4.65-2","2.4.65-3","2.4.66-1","2.4.66-1~deb11u1","2.4.66-1~deb12u1","2.4.66-1~deb12u2","2.4.66-1~deb13u1","2.4.66-1~deb13u2","2.4.66-2","2.4.66-3","2.4.66-4","2.4.66-5","2.4.66-6","2.4.66-7","2.4.66-8","2.4.67-1","2.4.67-1~deb11u1","2.4.67-1~deb12u1","2.4.67-1~deb12u2","2.4.67-1~deb13u1","2.4.67-1~deb13u2"],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-29169.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}