Resolves: RHEL-175620 - httpd:2.4/httpd: NULL pointer dereference via

specially crafted request (CVE-2026-29169)

httpd-2.4.37-CVE-2026-34032.patch

@@ -0,0 +1,18 @@
+diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c
+index 6443b36..3454f62 100644
+--- a/modules/proxy/ajp_msg.c
++++ b/modules/proxy/ajp_msg.c
+@@ -507,7 +507,12 @@ apr_status_t ajp_msg_get_string(ajp_msg_t *msg, const char **rvalue)
+     status = ajp_msg_get_uint16(msg, &size);
+     start = msg->pos;
+ 
+-    if ((status != APR_SUCCESS) || (size + start > msg->max_size)) {
++    if ((status != APR_SUCCESS) || (size + start >= msg->len)) {
++        return ajp_log_overflow(msg, "ajp_msg_get_string");
++    }
++
++    /* Verify that the expected null terminator is actually present */
++    if (msg->buf[start + size] != '\0') {
+         return ajp_log_overflow(msg, "ajp_msg_get_string");
+     }
+ 

httpd.spec

@@ -305,6 +305,8 @@ Patch255: httpd-2.4.37-CVE-2026-28780.patch
 Patch256: httpd-2.4.37-CVE-2026-33007.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2464953
 Patch257: httpd-2.4.37-CVE-2026-33857.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2464952
+Patch258: httpd-2.4.37-CVE-2026-34032.patch
 
 License: ASL 2.0
 Group: System Environment/Daemons
@@ -552,6 +554,7 @@ interface for storing and accessing per-user session data.
 %patch255 -p1 -b .CVE-2026-28780
 %patch256 -p1 -b .CVE-2026-33007
 %patch257 -p1 -b .CVE-2026-33857
+%patch258 -p1 -b .CVE-2026-34032
 
 %patch96 -p1 -b .r1922080
 
@@ -1070,6 +1073,8 @@ rm -rf $RPM_BUILD_ROOT
   cause a child process crash (CVE-2026-33007)
 - Resolves: RHEL-175088 - httpd:2.4/httpd: off-by-one out-of-bounds reads
   in AJP getter functions (CVE-2026-33857)
+- Resolves: RHEL-175620 - httpd:2.4/httpd: NULL pointer dereference via
+  specially crafted request (CVE-2026-29169)
 
 * Fri Dec 12 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-65.7
 - Resolves: RHEL-135054 - httpd: Apache HTTP Server: mod_userdir+suexec bypass