Is there any timeline for a release of Apache 2.4.67 to mitigate against CVE-2026-33523? Apache have maked it as a low priority but we would like to get this patched as soon as possible. I can’t see it on the RHEL CVE checker either so am not 100% if it affects Alma running Apache <2.4.67 or not?
Hello,
According to the official Apache HTTP Server security page, CVE-2026-33523 affects Apache HTTP Server 2.4.0 through 2.4.66, and users are recommended to upgrade to 2.4.67, which fixes the issue.
However, RHEL / AlmaLinux packages often backport security fixes without changing the upstream version number. So I think we should wait for the Red Hat / AlmaLinux security advisory or package update rather than judge only by the Apache upstream version.
Apache official reference:
Thanks
1 Like