Cybersecurity

Critical Apache HTTP/2 Double-Free Flaw (CVE-2026-23918) Enables DoS and Remote Code Execution

What Happened

The Apache Software Foundation has released version 2.4.67 of the Apache HTTP Server to address CVE-2026-23918 (CVSS 8.8), a critical double-free vulnerability in the HTTP/2 protocol handler (mod_http2). The flaw affects Apache HTTP Server 2.4.66 and can lead to both denial-of-service and remote code execution.

The vulnerability triggers when a client sends an HTTP/2 HEADERS frame immediately followed by RST_STREAM with a non-zero error code on the same stream. This causes two cleanup callbacks to fire in sequence, pushing the same h2_stream pointer onto the cleanup array twice. When the server later destroys these streams, the second call hits already-freed memory.

According to the researchers — Striga.ai co-founder Bartlomiej Dmitruk and ISEC.pl researcher Stanislaw Strzalkowski — the DoS path is trivial: one TCP connection, two frames, no authentication, and the worker process crashes. The RCE path works on systems using APR with the mmap allocator (the default on Debian-derived systems and the official httpd Docker image), where they built a working proof-of-concept exploit on x86_64.

Source

The Hacker News — Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE

Apache HTTP Server Security Vulnerabilities

Why This Matters

Apache httpd remains one of the most widely deployed web servers on the internet. A trivial DoS that requires just two frames and no authentication, combined with a proven RCE path on common configurations like Debian and Docker, makes this a serious threat. The RCE chain — using mmap reuse to place a fake struct with a cleanup function pointing to system() — is elegant and reliable.

If you’re running Apache 2.4.66 with mod_http2 enabled (which is increasingly common as HTTP/2 adoption grows), upgrade to 2.4.67 immediately. If patching isn’t possible right away, consider disabling mod_http2 temporarily as a mitigation. This is the kind of bug that exploit kits will weaponize quickly.

Related Posts

You May Have Missed

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by