NewsSecurityInfrastructure

CVE-2026-23918: Apache HTTP/2 Double-Free — Patch Now

23 views0
Cracked padlock with Apache logo and mod_http2 code fragments on dark blue background representing CVE-2026-23918 security vulnerability
CVE-2026-23918: Critical double-free in Apache HTTP Server 2.4.66 mod_http2
ByteBotBy
Share

Apache HTTP Server 2.4.66 has a critical double-free bug in mod_http2 (CVE-2026-23918, CVSS 8.8) that lets an unauthenticated attacker crash your server with just two HTTP/2 frames. On Debian and Docker deployments, it may also enable remote code execution. The fix shipped in version 2.4.67 on May 4. If your server reports Apache/2.4.66, you are exposed right now.

What the Bug Does

The flaw lives in h2_mplx.c, the stream cleanup path inside Apache’s HTTP/2 multiplexer. When a client sends an HTTP/2 HEADERS frame immediately followed by a RST_STREAM with a non-zero error code — before the multiplexer registers the stream — two separate nghttp2 callbacks fire back-to-back. Both call h2_mplx_c1_client_rst, which pushes the same h2_stream pointer onto the cleanup array twice. The second call to h2_stream_destroy operates on memory that was already freed: a textbook double-free.

For denial of service, the trigger is trivial: one TCP connection, two frames, no credentials. Workers crash and drop all in-flight requests. Internet scans already confirm this vector is being used in the wild.

Remote code execution is more complex but feasible. On systems using Apache Portable Runtime compiled with the mmap allocator — the default on Debian-derived distributions and official Apache Docker images — an attacker can place a fake h2_stream struct at the freed memory address via mmap page reuse, redirect the pool cleanup function pointer to system(), and leverage Apache’s scoreboard memory (stable across ASLR) as a payload container. Researchers have demonstrated this in a controlled environment. A proof-of-concept is publicly available on GitHub.

Are You Affected?

The vulnerability affects only Apache HTTP Server 2.4.66 — not 2.4.65, not 2.4.67. Exactly 2.4.66. That is both reassuring and alarming: 2.4.66 shipped in late 2025, meaning many shops that diligently upgraded recently are the ones now at risk.

You are vulnerable if all three apply:

  • Your server reports version 2.4.66
  • mod_http2 is loaded (standard for HTTPS deployments)
  • You are running MPM event or worker (most production setups)

MPM prefork users face DoS risk but not RCE. If you skipped 2.4.66 entirely, you are in the clear for this flaw specifically. Check your version and MPM in under 30 seconds:

# Check Apache version
apache2 -v       # Debian/Ubuntu
httpd -v         # RHEL/CentOS/Fedora

# Check your MPM
apache2ctl -M | grep mpm    # Debian/Ubuntu
httpd -M | grep mpm         # RHEL/CentOS

Patch Now

Upgrade to Apache 2.4.67. This release also fixes four lower-severity CVEs: a mod_rewrite privilege escalation (CVE-2026-24072), a heap overflow in mod_proxy_ajp (CVE-2026-28780), and two minor issues in mod_md and mod_dav_lock. Upgrade once, fix five problems.

# Debian/Ubuntu
sudo apt update && sudo apt upgrade apache2

# RHEL/CentOS/Fedora
sudo dnf upgrade httpd

# Verify the upgrade
apache2 -v    # Should report Apache/2.4.67 or later

Docker users: update your base image to httpd:2.4.67 or rebuild from a current Debian/Ubuntu base. The vulnerability is present in the official httpd:2.4.66 image, and mmap APR is the default in that environment — making RCE the more relevant risk, not just DoS.

If You Cannot Patch Immediately

Disable mod_http2 as a temporary measure. This removes the vulnerable code path entirely. Your server falls back to HTTP/1.1 — slower for some clients, but safe.

sudo a2dismod http2
sudo systemctl restart apache2

“We’ll patch it next sprint” is not a valid strategy here. The DoS trigger requires zero authentication and is already being automated by scanners. Disabling HTTP/2 takes 30 seconds.

The Bigger Picture

Apache still powers roughly a quarter of the web and dominates shared hosting. Coordinated disclosure kept this vulnerability private from December 2025 to May 2026 — five months during which the researchers, Apache, and a small circle of distro maintainers knew the details. Now that information is public and a detailed technical analysis exists alongside the PoC.

The last high-profile Apache CVE in this range — CVE-2021-41773 — was exploited in the wild within 48 hours of disclosure. Different vulnerability, same lesson: Apache’s attack surface is large, and threat actors watch these disclosures closely.

Patch 2.4.66 to 2.4.67. Run the version check. Check your MPM. If you are on Docker, update your image today.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.
    Previous
    Next

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:News