Primary

Context

Apache HTTP Server mod_dav_lock NULL Pointer Dereference Vulnerability Allowing Denial-of-Service

Vulnerability

Patched

A NULL pointer dereference vulnerability has been identified in the mod_dav_lock module of Apache HTTP Server. This issue affects versions through 2.4.66. The vulnerability may allow an attacker to crash the server by sending a malicious request. The mod_dav_lock module is not used by default in mod_dav or mod_dav_fs, and its only known application is with mod_dav_svn in Apache Subversion versions prior to 1.2.0.

Impact

Exploitation of this vulnerability can lead to a server crash, causing a denial-of-service condition.

Remediation

Users are advised to upgrade to Apache HTTP Server version 2.4.67, which addresses this vulnerability. Alternatively, mod_dav_lock can be removed.

Added: May 4, 2026, 3:22 PM

Updated: May 4, 2026, 3:22 PM

Vulnerability Rating

Custom Algorithm

spread

9.4

impact

0.6

exploitability

7.6

remediation

7.7

relevance

7.4

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

9.4

impact

0.6

exploitability

7.6

remediation

7.7

relevance

7.4

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache HTTP Server mod_dav_lock NULL Pointer Dereference Vulnerability Allowing Denial-of-Service

Vulnerability

Impact

Remediation

Affected Products

Apache HTTP Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating