CVE-2019-0211

HIGH KEV RANSOMWARE

Apache HTTP Server 2.4.17-2.4.38 - Use-After-Free in Scoreboard

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-0211 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021, with confirmed use in ransomware campaigns. EIP tracks 5 public exploits from researchers including cfreal, ozkanbilge, vaishakhcv.

AI-analyzed exploit summary This exploit leverages a use-after-free (UAF) vulnerability in Apache HTTP Server (CVE-2019-0211) to achieve local privilege escalation (LPE) by manipulating memory structures to gain arbitrary read/write capabilities, ultimately leading to root access via logrotate.

Description

In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.

Exploits (5)

exploitdb WORKING POC
by cfreal · phplocallinux
https://www.exploit-db.com/exploits/46676

This exploit leverages a use-after-free (UAF) vulnerability in Apache HTTP Server (CVE-2019-0211) to achieve local privilege escalation (LPE) by manipulating memory structures to gain arbitrary read/write capabilities, ultimately leading to root access via logrotate.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Apache HTTP Server 2.4.25 (with PHP 7.2.12 on Debian GNU/Linux 9.6)
No auth needed
Prerequisites: Local access to the target system · Apache HTTP Server with vulnerable configuration · PHP module loaded · Logrotate configured to restart Apache
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 11 stars
by ozkanbilge · local
https://github.com/ozkanbilge/Apache-Exploit-2019

This is a local privilege escalation (LPE) exploit for CVE-2019-0211, targeting Apache HTTPd on specific Linux distributions. It leverages a use-after-free (UAF) vulnerability in PHP to manipulate memory structures and achieve root privileges via logrotate.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Apache HTTPd (2.4.18, 2.4.25, 2.4.29) with PHP (7.1.27, 7.2.15, 7.2.16, 7.3.3)
No auth needed
Prerequisites: Local access to the target system · Apache HTTPd with vulnerable PHP version · Logrotate configured to restart Apache
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 1 stars
by vaishakhcv · perlpoc
https://github.com/vaishakhcv/CVE-exploits/tree/master/CVE-2019-0211

This repository contains a functional exploit for CVE-2019-0211, a local privilege escalation vulnerability in Apache HTTP Server. The exploit leverages a race condition in the mod_cgid module to achieve root privileges by manipulating file permissions and executing a malicious payload.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Apache HTTP Server 2.4.17 to 2.4.38
No auth needed
Prerequisites: Access to a vulnerable Apache HTTP Server instance · Ability to upload files to the server
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by Jeanback1 · local
https://github.com/Jeanback1/CVE-2019-0211-exploit

This repository contains a functional exploit for CVE-2019-0211, a local privilege escalation vulnerability in Apache HTTP Server. The exploit leverages a Use-After-Free (UAF) in PHP to gain arbitrary read/write access to memory, corrupting Apache's scoreboard to execute commands as root during a graceful restart.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Apache HTTP Server 2.4.17-2.4.38 with mod_php
No auth needed
Prerequisites: Shell access as www-data · Ability to upload PHP files to the server · Apache with mod_php and MPM prefork/worker/event
devstral-2 · analyzed Jun 01, 2026 Full analysis →
github WORKING POC
by winterwolf32 · perlpoc
https://github.com/winterwolf32/CVE_Exploits-/tree/master/CVE-2019-0211

The repository contains a functional Perl exploit for CVE-2019-0211, a local privilege escalation vulnerability in Apache HTTP Server. The exploit leverages a race condition in the mod_cgid module to execute arbitrary code with root privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Apache HTTP Server 2.4.17 to 2.4.38
No auth needed
Prerequisites: Access to a local shell on the target system · Apache HTTP Server with mod_cgid enabled
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (52)

Core 52
Core References
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/04/02/3
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/107666
Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Apr/5
Third Party Advisory x_refsource_confirm
https://www.synology.com/security/advisory/Synology_SA_19_14
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3937-1/
Mailing List, Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2019/dsa-4422
Mailing List, Patch, Third Party Advisory mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Apr/16
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46676/
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/152415/Slackware-Security-Advisory-httpd-Updates.html
Broken Link, Vendor Advisory x_refsource_misc
http://www.apache.org/dist/httpd/CHANGES_2.4.39
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0746
Broken Link, Mailing List, Release Notes, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00051.html
Third Party Advisory x_refsource_confirm
https://support.f5.com/csp/article/K32957101
Broken Link, Mailing List, Release Notes, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00061.html
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201904-20
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190423-0001/
Broken Link, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00084.html
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0980
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHBA-2019:0959
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1297
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1296
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1543
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/07/26/7
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2020.html

Scores

CVSS v3 7.8
EPSS 0.6501
EPSS Percentile 99.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2021-11-03
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2019-1002
Ransomware Use Confirmed
CWE
CWE-416
Status published
Products (50)
apache/http_server 2.4.17 - 2.4.38
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 18.10
debian/debian_linux 9.0
fedoraproject/fedora 28
fedoraproject/fedora 29
fedoraproject/fedora 30
netapp/oncommand_unified_manager
... and 40 more
Published Apr 08, 2019
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026