Apache HTTP Server Privilege Escalation Vulnerability

Apache HTTP Server, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute code with the privileges of the parent process (usually root) by manipulating the scoreboard.

Published Apr 8, 2019 · Updated May 16, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

A local attacker, with a low-privilege account, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. Federal agencies are required to remediate by 2022-05-03 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Use After Free (CWE-416) vulnerability in Apache HTTP Server. In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected. Exploitation requires local access, low attack complexity, a low-privilege authenticated account, and no user interaction required.

Am I affected?Quick check

Probably yes if any of these apply:

●IT Security

●Running http server: 2.4.17 ≤ v ≤ 2.4.38; fedora: 28, 29, 30; ubuntu linux: 14.04, 16.04, 18.04, 18.10; debian linux: 9.0; leap: 15.0, 42.3; oncommand unified manager: -; jboss core services: 1.0; openshift container platform: 3.11; openshift container platform for power: 3.11_ppc64le; software collections: 1.0; enterprise linux: 8.0; enterprise linux eus: 8.1, 8.2, 8.4, 8.6, 8.8; enterprise linux for arm 64: 8.0_aarch64; enterprise linux for arm 64 eus: 8.1_aarch64, 8.2_aarch64, 8.4_aarch64, 8.6_aarch64, 8.8_aarch64; enterprise linux for ibm z systems: 8.0_s390x; enterprise linux for ibm z systems eus: 8.1_s390x, 8.2_s390x, 8.4_s390x, 8.6_s390x, 8.8_s390x; enterprise linux for power little endian: 8.0_ppc64le; enterprise linux for power little endian eus: 8.1_ppc64le, 8.2_ppc64le, 8.4_ppc64le, 8.6_ppc64le, 8.8_ppc64le; enterprise linux server aus: 8.2, 8.4, 8.6; enterprise linux server tus: 8.2, 8.4, 8.6, 8.8; enterprise linux update services for sap solutions: 8.0, 8.1, 8.4, 8.6, 8.8; communications session report manager: 8.0.0, 8.1.0, 8.1.1, 8.2.0; communications session route manager: 8.0.0, 8.1.0, 8.1.1, 8.2.0; enterprise manager ops center: 12.3.3, 12.4.0; http server: 12.2.1.3.0; instantis enterprisetrack: 17.1, 17.2, 17.3; retail xstore point of service: 7.0, 7.1

Real-world incidentsWhat we've seen

Active exploitation documented in the wild. Threat-research write-up: http://packetstormsecurity.com/files/152415/Slackware-Security-Advisory-httpd-Updates.html

How to patch

Manual remediation steps

Apply the Vendor Patch

This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.

CISA required action: Apply updates per vendor instructions.

References

Vendor advisory: http://www.apache.org/dist/httpd/CHANGES_2.4.39

NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2019-0211

CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-0211

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2019-0211 ↗ NVD ↗ Vendor Advisory