The Apache Software Foundation released security updates addressing multiple flaws in Apache HTTP Server, including a severe HTTP/2 double-free bug that can lead to denial-of-service and potential remote code execution. The issue, tracked as CVE-2026-23918 and affecting httpd 2.4.66, was reported by Bartlomiej Dmitruk and Stanislaw Strzalkowski and is fixed in 2.4.67; administrators are advised to apply the update immediately. #CVE-2026-23918 #ApacheHTTPServer
Keypoints
- CVE-2026-23918 is a double-free vulnerability in mod_http2’s stream cleanup path that can be triggered by specific HTTP/2 frame sequences.
- The flaw allows trivial denial-of-service using one TCP connection and two frames against default mod_http2 with a multi-threaded MPM.
- Remote code execution is practical on systems using APR’s mmap allocator (default on Debian-derived systems and the official httpd Docker image) via heap reuse and scoreboard-based fake structures.
- The bug affects Apache HTTP Server 2.4.66 and has been addressed in version 2.4.67.
- Researchers Bartlomiej Dmitruk and Stanislaw Strzalkowski reported the issue, and users should patch immediately or mitigate by using unaffected configurations like MPM prefork.
Read More: https://thehackernews.com/2026/05/critical-apache-http2-flaw-cve-2026.html