2465296 – (CVE-2026-29169) CVE-2026-29169 httpd: mod_dav_lock: NULL pointer dereference via specially crafted request

Bug 2465296 (CVE-2026-29169) - CVE-2026-29169 httpd: mod_dav_lock: NULL pointer dereference via specially crafted request

Summary: CVE-2026-29169 httpd: mod_dav_lock: NULL pointer dereference via specially cr...

Keywords:
Status:	NEW
Alias:	CVE-2026-29169
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2476562
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-04 15:01 UTC by OSIDB Bzimport
Modified:	2026-05-13 09:54 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-04 15:01:41 UTC

A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs.

The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0.

Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock.

Note You need to log in before you can comment on or make changes to this bug.