Apache fixed several flaws in HTTP Server, including CVE-2026-23918 (CVSS score of 8.8), a double-free bug in HTTP/2 that could allow remote code execution.
The Apache Software Foundation has released updates to fix multiple vulnerabilities in its HTTP Server, including CVE-2026-23918 (CVSS score of 8.8). The issue involves a “double free” error in HTTP/2 handling that could potentially lead to remote code execution.
Researchers Bartlomiej Dmitruk, from striga.ai, and Stanislaw Strzalkowski from isec.pl discovered the vulnerability.
“Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.” reads the advisory.
The vulnerability impacts version 2.4.66 and is resolved in version 2.4.67.
According to TheHackerNews, CVE-2026-23918 is a double-free flaw in Apache httpd 2.4.66’s mod_http2, triggered by a crafted HTTP/2 sequence that causes the same stream to be cleaned up twice, leading to memory corruption. This can easily result in denial of service, crashing worker processes with minimal effort. In certain setups, especially those using APR with mmap (common on Debian systems and official Docker images), it may also be exploited for remote code execution.
The attack requires specific conditions and some additional steps, but a working proof of concept exists. Notably, MPM prefork is not affected, though the widespread use of HTTP/2 increases exposure.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
