Apache mod_proxy_ftp Infinite Loop Denial of Service

CVE-2026-44186 is an infinite loop vulnerability in Apache HTTP Server's mod_proxy_ftp module affecting versions 2.4.0 through 2.4.67. When processing requests through a malicious or compromised FTP backend server, the module can enter an unreachable exit condition, causing the affected Apache process to hang indefinitely. This vulnerability matters because it enables denial of service attacks against any organization using Apache as an FTP proxy—a legitimate use case for environments that need to gateway FTP traffic. The attack requires no authentication and can be triggered remotely by controlling or compromising the backend FTP server, making it a significant availability risk for infrastructure teams relying on mod_proxy_ftp for FTP service proxying.

While this CVE doesn't map directly to MITRE ATT&CK techniques, Casky's 754 security skills enable practitioners to understand the underlying attack surface through code-level analysis and resource exhaustion detection patterns. Using Claude's extended reasoning, practitioners can map this to T1499 (Endpoint Denial of Service) and identify indicators such as Apache processes entering indefinite wait states, 100% CPU consumption on specific worker threads, and FTP control connection sequences that trigger the unreachable exit path. Practitioners would observe findings highlighting suspicious FTP response patterns—particularly malformed or adversarial FTP server replies—combined with process behavior anomalies that precede service degradation, allowing them to detect exploitation attempts before production impact occurs.