Vulnerability Overview
The Apache Software Foundation has released security updates to address several vulnerabilities in Apache HTTP Server, including a critical double-free memory corruption flaw that can lead to denial-of-service and potentially remote code execution. Tracked as CVE-2026-23918 with a CVSS score of 8.8, the vulnerability resides in the mod_http2 module and affects Apache HTTP Server version 2.4.66.
The flaw was discovered by Striga.ai co-founder Bartlomiej Dmitruk and ISEC.pl researcher Stanislaw Strzalkowski, who told The Hacker News that the severity of CVE-2026-23918 is critical, as it can be exploited to achieve both denial-of-service and remote code execution. The vulnerability was reported to the Apache security team on December 10, 2025, fixed in source the following day, and shipped to users in the 2.4.67 release on May 4, 2026.
No active exploitation has been confirmed as of the disclosure date. However, a proof-of-concept demonstrating a reliable crash has already been published on GitHub, and the researchers have confirmed they built a working exploit for x86_64 in lab conditions. Given that Apache HTTP Server powers a significant share of the world's web infrastructure, rapid patching is essential.
Technical Details
CVE-2026-23918 is a double-free vulnerability in the stream cleanup path of h2_mplx.c within Apache's mod_http2 module. The bug is triggered when a client sends an HTTP/2 HEADERS frame immediately followed by a RST_STREAM frame with a non-zero error code on the same stream, before the multiplexer has finished registering the stream internally.
This specific sequence creates a race condition where two separate callbacks - the session handler and the backend worker - both attempt to purge the same stream's memory pool. When Apache later iterates over the cleanup array and tries to destroy stream entries, memory that has already been freed is released a second time. This corrupts the APR allocator's internal free list, leading to heap corruption.
According to analysis published by SOC Prime, the denial-of-service path is the most straightforward outcome. The researchers confirmed that a single TCP connection carrying just two HTTP/2 frames is enough to crash a worker process in default deployments that use mod_http2 with a multi-threaded MPM such as event or worker. Notably, MPM prefork is not affected by this vulnerability.
The researchers confirmed to The Hacker News that the possible RCE path depends on the APR memory allocator using mmap, which is the default configuration on Debian-derived distributions and the official Apache httpd Docker image. Practical exploitation for code execution still requires favorable conditions including an information leak and predictable memory reuse patterns. At this stage, process crashes and worker instability are the most likely real-world impact, though the RCE path should not be dismissed.
Affected Versions
The vulnerability specifically affects Apache HTTP Server version 2.4.66. As The CyberSec Guru noted, older releases are not affected by this specific bug, and the fix was shipped in version 2.4.67 alongside patches for four additional vulnerabilities. The 2.4.67 release addresses a total of 11 security issues.
| Version | Status | Module Affected | Conditions |
|---|---|---|---|
| Apache 2.4.66 | Vulnerable | mod_http2 | HTTP/2 enabled + threaded MPM |
| Apache 2.4.67 | Fixed | - | - |
| Apache < 2.4.66 | Not Affected | - | - |
Recommendations
- Upgrade to Apache HTTP Server 2.4.67 immediately. This is the only complete fix. The updated version is available from the official Apache HTTP Server download page. The release resolves CVE-2026-23918 along with 10 additional security issues.
- Disable HTTP/2 as a temporary mitigation. If an immediate upgrade is not possible, disable mod_http2 to eliminate the attack surface entirely. This blocks the RCE and DoS vectors while the upgrade is planned.
- Verify your MPM configuration. Systems running MPM prefork are not affected. If you are running MPM event or worker with mod_http2 enabled, your deployment is in the vulnerable configuration.
- Monitor for unexpected worker crashes. The most likely exploitation outcome is repeated worker process crashes. Monitor Apache error logs for segmentation faults and abnormal child process restarts that could indicate exploitation attempts.
- Review HTTP/2 traffic for anomalous patterns. The exploit relies on a HEADERS frame followed by an immediate RST_STREAM with a non-zero error code. Network monitoring tools or WAF rules that flag rapid stream resets on HTTP/2 connections may help detect exploitation attempts.
Context
Apache HTTP Server remains one of the most widely deployed web servers in the world, powering millions of websites and serving as a reverse proxy in countless enterprise architectures. The combination of unauthenticated remote access, the potential for code execution, and the minimal effort required to trigger a crash makes CVE-2026-23918 a particularly noteworthy vulnerability.
This is the second major HTTP/2 protocol-level vulnerability to affect Apache in recent years, following the HTTP/2 Rapid Reset attack (CVE-2023-44487) that impacted multiple web server implementations. The disclosure was posted to the oss-security mailing list on May 4, 2026. While Red Hat has classified the issue as "Important" and confirmed that Red Hat Enterprise Linux 10 is not affected, organizations running the vulnerable version on Debian-derived systems or Docker containers should treat this as an urgent priority due to the default APR mmap allocator configuration that enables the RCE path.
