Oracle Linux 9 Vulnerabilities Lead to Critical Security Advisories

Oracle Linux 9 has issued two important advisories addressing critical vulnerabilities in the Apache HTTP Server. The first advisory (ELSA-2026-21391) details multiple CVEs, including CVE-2026-28780, which allows arbitrary code execution via a heap-based buffer overflow. Other vulnerabilities include CVE-2026-33007, a NULL pointer dereference, and CVE-2026-34059, which involves memory disclosure. The second advisory (ELSA-2026-25057) focuses on mod_http2, which is susceptible to a remote Denial of Service (DoS) attack via a compression bomb (CVE-2026-49975). Both advisories affect Oracle Linux 9 and require immediate attention from system administrators to mitigate risks. The vulnerabilities could potentially lead to service disruptions and unauthorized access if not patched promptly.

Key Points: • Oracle Linux 9 has critical vulnerabilities affecting Apache HTTP Server and mod_http2. • CVE-2026-28780 enables arbitrary code execution, posing a severe threat to affected systems. • Immediate patching is necessary to prevent potential service disruptions and unauthorized access.