Primary

Context

Apache HTTP Server Integer Overflow Vulnerability in ACME Certificate Renewal Process

Vulnerability

Patched

An integer overflow vulnerability has been identified in the Apache HTTP Server's mod_md module, specifically during the ACME certificate renewal process. This vulnerability is present in versions 2.4.30 prior to 2.4.66. The issue arises when the certificate renewal fails multiple times, leading to the backoff timer being set to zero. As a result, the server repeatedly attempts to renew the certificate without any delay, until the renewal succeeds.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by overwhelming the server with rapid, repeated certificate renewal attempts, bypassing the intended backoff mechanism.

Remediation

Users are advised to upgrade to Apache HTTP Server version 2.4.66, which addresses this vulnerability.

Added: Dec 5, 2025, 11:20 AM

Updated: Dec 5, 2025, 11:20 AM

Vulnerability Rating

Custom Algorithm

spread

9.4

impact

2.5

exploitability

6.4

remediation

7.7

relevance

1.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

9.4

impact

2.5

exploitability

6.4

remediation

7.7

relevance

1.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache HTTP Server Integer Overflow Vulnerability in ACME Certificate Renewal Process

Vulnerability

Impact

Remediation

Affected Products

Apache HTTP Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating