How i discovered the CVE-2025-49630 — a reachable assertion in h2_proxy_util.c that crashes all Apache workers with a single netcat command. Affects Apache 2.4.26 through 2.4.63. Fixed in 2.4.64.

1-day analysis of CVE-2024-38477: a NULL pointer dereference in ap_proxy_determine_connection() when apr_uri_parse() returns success but leaves hostname NULL. Includes patch diff, GDB crash validation, and an honest account of failed exploitation attempts.

Deep dive into CVE-2021-26690 — a NULL pointer dereference in Apache HTTP Server’s mod_session that allows unauthenticated remote DoS via a crafted Cookie header.