1-day analysis of CVE-2024-38477: a NULL pointer dereference in ap_proxy_determine_connection() when apr_uri_parse() returns success but leaves hostname NULL. Includes patch diff, GDB crash validation, and an honest account of failed exploitation attempts.

Deep dive into CVE-2021-26690 — a NULL pointer dereference in Apache HTTP Server’s mod_session that allows unauthenticated remote DoS via a crafted Cookie header.