Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE

Published:

5 mei 2026 om 16:19:00

Alert date:

5 mei 2026 om 17:01:38

Source:

thehackernews.com

Web Technologies, Zero-Day Vulnerabilities

The Apache Software Foundation has released security updates to address a critical vulnerability in the HTTP Server. CVE-2026-23918 is a severe HTTP/2 protocol handling flaw with a CVSS score of 8.8. The vulnerability involves a double free condition that could potentially lead to remote code execution (RCE). This affects the Apache HTTP Server's HTTP/2 implementation and poses significant security risks. Organizations using Apache HTTP Server with HTTP/2 enabled should apply the security updates immediately to prevent potential exploitation.

Technical details

CVE-2026-23918 is a double-free vulnerability in Apache httpd 2.4.66 mod_http2, specifically in the stream cleanup path of h2_mplx.c. The bug triggers when a client sends an HTTP/2 HEADERS frame immediately followed by RST_STREAM with a non-zero error code on the same stream, before the multiplexer has registered the stream. Two nghttp2 callbacks fire in sequence, causing the same h2_stream pointer to be pushed onto the spurge cleanup array twice. When c1_purge_streams iterates and calls h2_stream_destroy on each entry, the second call hits already freed memory. The RCE path requires APR with mmap allocator and uses Apache's scoreboard memory as a stable container for fake structures.

Mitigation steps:

Users are advised to upgrade to Apache HTTP Server version 2.4.67 which addresses this vulnerability. Apply the latest fixes for optimal protection.

Affected products:

Apache HTTP Server 2.4.66