From 8bb28bf05d8ab72b62c34f85b01256f43cf52407 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Wed, 13 May 2026 15:54:58 +0200
Subject: [PATCH] Resolves: RHEL-175074 - httpd:2.4/httpd: NULL pointer
 dereference can cause a child process crash (CVE-2026-33007)

---
 httpd-2.4.37-CVE-2026-33007.patch | 18 ++++++++++++++++++
 httpd.spec                        |  5 +++++
 2 files changed, 23 insertions(+)
 create mode 100644 httpd-2.4.37-CVE-2026-33007.patch

diff --git a/httpd-2.4.37-CVE-2026-33007.patch b/httpd-2.4.37-CVE-2026-33007.patch
new file mode 100644
index 0000000..1978ce2
--- /dev/null
+++ b/httpd-2.4.37-CVE-2026-33007.patch
@@ -0,0 +1,18 @@
+diff --git a/modules/aaa/mod_authn_socache.c b/modules/aaa/mod_authn_socache.c
+index 550bc66..9b921b8 100644
+--- a/modules/aaa/mod_authn_socache.c
++++ b/modules/aaa/mod_authn_socache.c
+@@ -266,11 +266,10 @@ static const command_rec authn_cache_cmds[] =
+ static const char *construct_key(request_rec *r, const char *context,
+                                  const char *user, const char *realm)
+ {
++    const char *slash = ap_strrchr_c(r->uri, '/');
+     /* handle "special" context values */
+-    if (!strcmp(context, directory)) {
+-        /* FIXME: are we at risk of this blowing up? */
++    if (!strcmp(context, directory) && slash) {
+         char *new_context;
+-        char *slash = strrchr(r->uri, '/');
+         new_context = apr_palloc(r->pool, slash - r->uri +
+                                  strlen(r->server->server_hostname) + 1);
+         strcpy(new_context, r->server->server_hostname);
diff --git a/httpd.spec b/httpd.spec
index 1653e55..3f94525 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -301,6 +301,8 @@ Patch253: httpd-2.4.37-CVE-2025-65082.patch
 Patch254: httpd-2.4.37-CVE-2025-58098.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2466913
 Patch255: httpd-2.4.37-CVE-2026-28780.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2465299
+Patch256: httpd-2.4.37-CVE-2026-33007.patch
 
 License: ASL 2.0
 Group: System Environment/Daemons
@@ -546,6 +548,7 @@ interface for storing and accessing per-user session data.
 %patch253 -p1 -b .CVE-2025-65082
 %patch254 -p1 -b .CVE-2025-58098
 %patch255 -p1 -b .CVE-2026-28780
+%patch256 -p1 -b .CVE-2026-33007
 
 %patch96 -p1 -b .r1922080
 
@@ -1060,6 +1063,8 @@ rm -rf $RPM_BUILD_ROOT
 * Tue May 12 2026 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-65.8
 - Resolves: RHEL-173558 - httpd:2.4/httpd: Apache HTTP Server mod_proxy_ajp:
   Arbitrary code execution via heap-based buffer overflow (CVE-2026-28780)
+- Resolves: RHEL-175074 - httpd:2.4/httpd: NULL pointer dereference can
+  cause a child process crash (CVE-2026-33007)
 
 * Fri Dec 12 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-65.7
 - Resolves: RHEL-135054 - httpd: Apache HTTP Server: mod_userdir+suexec bypass