NewsSecurity

CVE-2026-23918: Apache HTTP/2 Double-Free RCE Explained

16 views0
Apache HTTP/2 CVE-2026-23918 double-free vulnerability diagram showing broken feather logo with code fragments RST_STREAM and CVSS 8.8
CVE-2026-23918: Apache HTTP Server 2.4.66 mod_http2 double-free vulnerability
ByteBotBy
Share

Apache HTTP Server 2.4.66 has a double-free in mod_http2 that lets any TCP-reachable client crash your server — or, on common default configurations, execute arbitrary code — with no credentials required. Just two HTTP/2 frames. The vulnerability is CVE-2026-23918 (CVSS 8.8). The patch shipped May 4 in version 2.4.67. If you’re running 2.4.66, you’re one crafted request away from a downed server or a shell.

What Actually Happens

The bug lives in h2_mplx.c, the HTTP/2 multiplexer cleanup path. An attacker sends an HTTP/2 HEADERS frame immediately followed by RST_STREAM with a non-zero error code — before the multiplexer has finished registering the new stream.

Two nghttp2 callbacks fire back-to-back: on_frame_recv_cb and on_stream_close_cb. Both call m_stream_cleanup, which pushes the same h2_stream pointer onto the cleanup array twice. When Apache processes the array and calls apr_pool_destroy on each entry, the second call hits memory that has already been freed.

That double-free corrupts the heap. In the best case for an attacker, Apache’s worker process crashes. In the worst case — the consequential part — the heap corruption is exploitable for remote code execution.

Who Is Actually Exposed

“Apache users” undersells the blast radius. Here’s what matters:

  • Apache 2.4.66 with mod_http2 and a multi-threaded MPM (worker or event) is fully exposed. HTTP/2 is enabled by default in 2.4.66 builds, so most production servers qualify without any additional configuration.
  • The official httpd Docker image ships with the APR mmap allocator — the exact configuration that enables the RCE exploitation path. Docker deployments face RCE risk, not just DoS.
  • Debian-derived systems (Ubuntu included) use APR’s mmap allocator by default. The RCE path is live on these systems.
  • Shared hosting: one compromised server process on a shared host threatens all tenants on that machine.
  • Proxy chains: if a reverse proxy transparently forwards HTTP/2 to an Apache backend, the vulnerability is reachable through the proxy. “We’re behind nginx” is not a complete defense.

The one safe harbor: MPM prefork. The prefork model is single-threaded; the double-free has no exploitable consequence there. If you know you’re running prefork, you’re not at risk from this specific CVE — but you should still upgrade, since 2.4.67 patches ten other vulnerabilities.

DoS Is Certain, RCE Is Conditional

There are two distinct threat levels here.

The denial of service is trivially reproducible: single TCP connection, two frames, zero authentication, zero knowledge of the target application. The worker process crashes every time. Public PoC tools including xeloxa/CVE-2026-23918-Apache-H2-PoC on GitHub implement both rapid-RST and slow-drip attack modes.

The RCE path is more constrained but has been demonstrated to work on x86_64. The chain: trigger the double-free, then use mmap allocator reuse to plant a fake h2_stream struct at the freed address. Point its pool cleanup function pointer to system(). For a stable payload container, use Apache’s scoreboard memory — which sits at a fixed virtual address for the lifetime of the server process, even with ASLR enabled. That ASLR bypass is the ugly-elegant part of this exploit.

RCE requires the APR mmap allocator, the default on Debian-derived systems and in the official httpd Docker image. On these systems, your exposure is not limited to DoS.

How to Check and Patch

Verify what you’re running:

# Check Apache version
httpd -v
# or on Debian/Ubuntu
apache2 -v

# Confirm mod_http2 is loaded
apachectl -M | grep http2

If the version is 2.4.66 and http2_module appears in the output, upgrade immediately:

apt upgrade apache2      # Debian/Ubuntu
dnf upgrade httpd        # RHEL/Fedora
brew upgrade httpd       # macOS

If upgrading is blocked short-term, disable HTTP/2 in your Apache configuration:

Protocols http/1.1

Then reload with apachectl graceful. Important caveat: if a reverse proxy is forwarding HTTP/2 traffic to Apache, removing h2 from the Apache Protocols directive alone is not sufficient. The proxy layer must also be configured to downgrade the connection. Verify the full request path.

2.4.67 Patches More Than One CVE

CVE-2026-23918 is the headline, but Apache patched 11 vulnerabilities in 2.4.67 — including a heap buffer overflow in mod_rewrite and multiple privilege escalation issues. Even if you’re running MPM prefork and believe you’re not exposed to this specific CVE, the 2.4.67 release warrants immediate deployment.

The NVD entry for CVE-2026-23918 and the technical breakdown from The Hacker News have additional detail if you need to make the case to your team. The AppSec Master write-up covers the full RCE chain for those who need to understand the mechanics.

HTTP/2’s stream multiplexing model continues to introduce timing-window attack surfaces that HTTP/1.1 simply didn’t have. CVE-2026-23918 is not the last of this category. Version 2.4.67 is out. Go patch.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.
    Previous
    Next

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:News