CVE-2021-26690 – CVE-2021-26690 is a NULL pointer dereference vu... (How to Fix)

Q: What is the severity of CVE-2021-26690?

CVE-2021-26690 has a CVSS score of 7.5 (HIGH). CVE-2021-26690 is a NULL pointer dereference vulnerability in Apache HTTP Server's mod_session module that can be triggered by a specially crafted Cookie header. This causes the server to crash, resulting in a denial of service. All Apache HTTP Server installations using mod_session with versions 2.4.0 through 2.4.46 are affected.

📋 TL;DR

CVE-2021-26690 is a NULL pointer dereference vulnerability in Apache HTTP Server's mod_session module that can be triggered by a specially crafted Cookie header. This causes the server to crash, resulting in a denial of service. All Apache HTTP Server installations using mod_session with versions 2.4.0 through 2.4.46 are affected.

💻 Affected Systems

Products:

Apache HTTP Server

Versions: 2.4.0 to 2.4.46 inclusive

Operating Systems: All operating systems running affected Apache versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if mod_session is enabled and configured. Many default installations do not enable mod_session.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Repeated exploitation could cause sustained service outages, making web applications completely unavailable to legitimate users.

🟠

Likely Case

Intermittent server crashes requiring manual restart, causing temporary service disruption and potential data loss for in-flight requests.

🟢

If Mitigated

With proper monitoring and automated restart mechanisms, impact is limited to brief service interruptions during attack windows.

🌐 Internet-Facing: HIGH - Apache HTTP Server is commonly internet-facing, and the exploit requires only HTTP access with no authentication.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this, but the attack surface is smaller than internet-facing deployments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward - sending a malformed Cookie header to a vulnerable endpoint. Public proof-of-concept code exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apache HTTP Server 2.4.47 and later

Vendor Advisory: http://httpd.apache.org/security/vulnerabilities_24.html

Restart Required: Yes

Instructions:

1. Download Apache HTTP Server 2.4.47 or later from the official Apache website. 2. Stop the current Apache service. 3. Install the updated version. 4. Restart the Apache service. 5. Verify the new version is running.

🔧 Temporary Workarounds

Disable mod_session

all

Remove or comment out mod_session module loading if session functionality is not required

# In httpd.conf or apache2.conf, comment out: # LoadModule session_module modules/mod_session.so
# Also remove any Session* directives from configuration

Use mod_security to filter malicious cookies

all

Implement Web Application Firewall rules to block malformed Cookie headers

# Example mod_security rule: SecRule REQUEST_HEADERS:Cookie "@rx \x00" "id:1001,phase:1,deny,status:400,msg:'NULL byte in Cookie header'"
# Add to mod_security configuration file

🧯 If You Can't Patch

Implement network-level filtering to block requests with malformed Cookie headers at load balancer or WAF
Deploy monitoring with automated restart scripts to minimize downtime during attacks

🔍 How to Verify

Check if Vulnerable:

Check Apache configuration for 'LoadModule session_module' and verify Apache version is between 2.4.0 and 2.4.46

Check Version:

httpd -v (or apache2 -v on some systems)

Verify Fix Applied:

Verify Apache version is 2.4.47 or later and test with known exploit payloads to confirm no crash occurs

📡 Detection & Monitoring

Log Indicators:

Apache crash logs with segmentation fault errors
Repeated Apache service restarts in system logs
Error logs containing 'mod_session' related crashes

Network Indicators:

HTTP requests with malformed Cookie headers containing NULL bytes
Sudden drops in legitimate traffic followed by service restarts

SIEM Query:

source="apache_access" AND (Cookie="*\x00*" OR Cookie="*%00*") OR source="apache_error" AND message="*segmentation fault*" AND message="*mod_session*"

📊 Metadata

CVE ID: CVE-2021-26690

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: June 10, 2021

Last Updated: November 21, 2024

🔗 References

http://httpd.apache.org/security/vulnerabilities_24.html Release Notes,Vendor Advisory
http://www.openwall.com/lists/oss-security/2021/06/10/6 Mailing List,Third Party Advisory
https://lists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111bb5d15cda0a68dd%40%3Cdev.httpd.apache.org%3E
https://lists.apache.org/thread.html/rae406c1d19c0dfd3103c96923dadac2af1cd0bad6905ab1ede153865%40%3Cannounce.httpd.apache.org%3E
https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cba8d0bf3%40%3Ccvs.httpd.apache.org%3E Mailing List,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/
https://security.gentoo.org/glsa/202107-38 Third Party Advisory
https://security.netapp.com/advisory/ntap-20210702-0001/ Third Party Advisory
https://www.debian.org/security/2021/dsa-4937 Mailing List,Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Third Party Advisory
http://httpd.apache.org/security/vulnerabilities_24.html Release Notes,Vendor Advisory
http://www.openwall.com/lists/oss-security/2021/06/10/6 Mailing List,Third Party Advisory
https://lists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111bb5d15cda0a68dd%40%3Cdev.httpd.apache.org%3E
https://lists.apache.org/thread.html/rae406c1d19c0dfd3103c96923dadac2af1cd0bad6905ab1ede153865%40%3Cannounce.httpd.apache.org%3E
https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cba8d0bf3%40%3Ccvs.httpd.apache.org%3E Mailing List,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/
https://security.gentoo.org/glsa/202107-38 Third Party Advisory
https://security.netapp.com/advisory/ntap-20210702-0001/ Third Party Advisory
https://www.debian.org/security/2021/dsa-4937 Mailing List,Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26690, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Enterprise Manager Ops Center by Oracle

Fedora by Fedoraproject

Fedora by Fedoraproject

Http Server by Apache

Instantis Enterprisetrack by Oracle

Instantis Enterprisetrack by Oracle

Instantis Enterprisetrack by Oracle

Zfs Storage Appliance Kit by Oracle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable mod_session

Use mod_security to filter malicious cookies

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities