The Apache Software Foundation (ASF) has rolled out security updates to fix multiple issues in its HTTP Server, including a high-risk vulnerability that could allow attackers to execute code remotely.
The flaw, tracked as CVE-2026-23918 and rated 8.8 on the CVSS scale, involves a “double free” memory issue in HTTP/2 processing. It affects Apache HTTP Server version 2.4.66 and has been fixed in version 2.4.67.
The issue was discovered and reported by Bartlomiej Dmitruk and Stanislaw Strzalkowski.
What the Vulnerability Does
According to the researchers, this bug exists in the mod_http2 module during stream cleanup. It can be triggered when a client sends a specific sequence of HTTP/2 frames: a HEADERS frame followed quickly by a RST_STREAM frame with a non-zero error code, before the server fully registers the stream.
This sequence causes the same memory object to be freed twice. When the server later attempts to clean it up again, it accesses memory that has already been released, leading to a crash or potentially more serious outcomes.
Exploitation Scenarios
Researchers highlighted two main attack paths:
- Denial-of-Service (DoS):
This is the easiest to exploit. An attacker can crash server workers using just a single connection and a minimal set of crafted HTTP/2 frames. No authentication or special configuration is required. While Apache can restart crashed workers, repeated attacks can continuously disrupt service. - Remote Code Execution (RCE):
A more advanced attack can lead to full code execution. This requires specific conditions, including the use of the Apache Portable Runtime (APR) with an mmap-based allocator, which is common on Debian-based systems and official Docker images. In testing, researchers demonstrated a proof-of-concept where they reused freed memory to inject a fake structure and redirect execution to system-level commands. The attack relies on predictable memory behavior, including Apache’s scoreboard memory, which remains at a stable address during runtime.
Impact and Risk
The vulnerability does not affect servers running the prefork MPM. However, the overall risk remains high because:
mod_http2is included in default Apache builds- HTTP/2 is widely enabled in production environments
This significantly increases the attack surface for exposed servers.
Recommendation
Administrators are strongly advised to upgrade to Apache HTTP Server 2.4.67 or later as soon as possible. Applying the patch is the most effective way to prevent exploitation, especially for systems using HTTP/2 in active deployments.