Apache HTTP Server 2.4.68 came out on June 8, 2026 — the first point release since 2.4.67 in early May, and per the project’s own download page, it’s “recommended over all previous releases.” If you run your own LAMP stack, this is the patch to schedule this week.

What’s actually in it

The public CVE list on httpd.apache.org hasn’t fully caught up to the release yet, but the individual disclosures have already landed on oss-security and in distro security trackers. Three are worth knowing about specifically.

CVE-2026-49975 (mod_http2, moderate) — This is the “HTTP/2 Bomb” we wrote about last week: an HPACK compression-table trick combined with zero-window stalling that lets an attacker pin tens of gigabytes of server memory using a single connection. At the time, the only available fix was a standalone mod_http2 2.0.41 release outside Apache’s normal release cycle, which meant manually swapping a module. With 2.4.68, that fix is now part of the mainline branch, so it can flow through distro package repositories on their normal update schedule instead of requiring a manual module replacement.

CVE-2026-44119 (multiple modules, moderate) — A privilege-escalation flaw in how Apache evaluates expressions (ap_expr) used in .htaccess files and configuration directives across several modules. The practical effect: in configurations where .htaccess overrides are permitted, expression evaluation could be abused to read files the httpd worker process shouldn’t have access to. On shared hosting, where every customer can write their own .htaccess, this is the one to prioritize.

CVE-2026-29167 (mod_ldap, per-directory config) — A use-after-free in mod_ldap when used in per-directory configuration blocks, reported to the Apache security team back in March and fixed in the 2.4.x branch on June 3. Less broadly relevant unless you’re authenticating against LDAP or Active Directory through Apache, but it’s bundled into the same release.

All three are listed as affecting versions 2.4.0 through 2.4.67 — meaning essentially every Apache install currently in production until it’s upgraded.

The annoying part: distro lag

None of these made the kind of headlines last week’s HTTP/2 bomb did, and none are trivially exploitable from the outside. But the .htaccess privilege escalation matters most on exactly the kind of multi-tenant systems that shared hosting is built on.

The usual catch applies: Apache’s upstream release is out, but Debian, Ubuntu, RHEL/AlmaLinux/Rocky, and cPanel’s bundled Apache (EA-Apache2) all repackage on their own schedules — often backporting just the relevant patches rather than bumping the whole version to 2.4.68. So apachectl -v showing 2.4.67 doesn’t automatically mean you’re exposed, but it doesn’t automatically mean you’re covered either. Check whether your distro or panel vendor has published a corresponding security advisory before assuming either way.

To check your current version:

apachectl -v

And to see whether .htaccess overrides are enabled for a given site, check the AllowOverride directive in your vhost configuration — anything other than AllowOverride None means the expression-evaluation path is reachable by whoever can write to that directory.

What this means for kalfaoglu.net customers

Shared hosting customers don’t need to do anything on their end. Server-side Apache and EA-Apache2 updates are part of our normal patch cycle, and we track cPanel’s security advisories specifically for repackaged fixes like this one.

If you run your own VPS or dedicated server with Apache: this week’s list is to upgrade to 2.4.68 if your distro already has it, or confirm your distro’s backport covers CVE-2026-44119, CVE-2026-29167, and CVE-2026-49975 if it doesn’t yet show 2.4.68. If you can’t patch immediately and you allow .htaccess overrides for multiple users on the same server, that configuration is the one to review first — it’s the most directly reachable of the three.