[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fObqSLCO80YEjFO8k3EUvfPYi2A5eujIzyL8GWR9EhsU":3},{"article":4,"iocs":44},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":31,"category":32,"article_tags":36},"d9bfb88f-5e8b-410b-939e-d330efb0c507","Critical Apache HTTP\u002F2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE","critical-apache-http-2-flaw-cve-2026-23918-enables-dos-and-potential-rce-b1549c","The Apache Software Foundation (ASF) has released security updates to address several security vulnerabilities in the HTTP Server, including a severe vulnerability that could potentially lead to remote code execution (RCE). The vulnerability, tracked as CVE-2026-23918 (CVSS score: 8.8), has been described as a case of \"double free and possible RCE\" in the HTTP\u002F2 protocol handling. This issue","The Apache Software Foundation released security updates for CVE-2026-23918 (CVSS 8.8), a critical double-free vulnerability in mod_http2 affecting Apache HTTP Server 2.4.66. The flaw in HTTP\u002F2 stream handling can be exploited to achieve denial-of-service trivially on any default deployment with mod_http2 and multi-threaded MPM, while remote code execution is possible on systems using the APR mmap allocator (default on Debian-derived systems and official httpd Docker images). The vulnerability requires only two HTTP\u002F2 frames on a single TCP connection with no authentication or special headers, making it a severe risk to production deployments.","Apache HTTP Server CVE-2026-23918 double-free flaw enables DoS and RCE via HTTP\u002F2.","Critical Apache HTTP\u002F2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE Ravie LakshmananMay 05, 2026Vulnerability \u002F Server Security The Apache Software Foundation (ASF) has released security updates to address several security vulnerabilities in the HTTP Server, including a severe vulnerability that could potentially lead to remote code execution (RCE). The vulnerability, tracked as CVE-2026-23918 (CVSS score: 8.8), has been described as a case of \"double free and possible RCE\" in the HTTP\u002F2 protocol handling. This issue affects Apache HTTP Server 2.4.66 and has been addressed in version 2.4.67. Striga.ai co-founder Bartlomiej Dmitruk and ISEC.pl researcher Stanislaw Strzalkowski have been credited with discovering and reporting the vulnerability. When reached for comment, Dmitruk told The Hacker News via email that the severity of CVE-2026-23918 is critical, as it can be exploited to achieve denial-of-service (DoS) and RCE. Additional details of the vulnerability are below - CVE-2026-23918 is a double-free in Apache httpd 2.4.66 mod_http2, specifically in the stream cleanup path of h2_mplx.c. The bug triggers when a client sends an HTTP\u002F2 HEADERS frame immediately followed by RST_STREAM with a non-zero error code on the same stream, before the multiplexer has registered the stream. Two nghttp2 callbacks then fire in sequence, on_frame_recv_cb for the RST and on_stream_close_cb for the close, and both end up calling h2_mplx_c1_client_rst -> m_stream_cleanup, which pushes the same h2_stream pointer onto the spurge cleanup array twice. When c1_purge_streams later iterates spurge and calls h2_stream_destroy -> apr_pool_destroy on each entry, the second call hits memory that has already been freed. The DoS, Dmitruk added, is trivial and works on any default deployment with mod_http2 and a multi-threaded MPM, whereas the RCE path requires an Apache Portable Runtime (APR) with the mmap allocator, which is the default on Debian-derived systems and on the official httpd Docker image. Dmitruk further explained - The first is denial-of-service, which is trivial: one TCP connection, two frames, no authentication, no special headers, no specific URL, and the worker crashes. Apache respawns it, but every request on the crashed worker is dropped, and the pattern can be sustained as long as the attacker keeps sending. The second outcome is remote code execution, and we built a working proof of concept on x86_64. The chain places a fake h2_stream struct at the freed virtual address via mmap reuse, points its pool cleanup function to system(), and uses Apache's scoreboard memory as a stable container for the fake structures and the command string. The scoreboard sits at a fixed address for the lifetime of the server, even with ASLR, which is what makes the RCE path practical. The usual caveats apply: practical exploitation requires an info leak for system() and the scoreboard offsets, and the heap spray is probabilistic, but in lab conditions execution lands in minutes. Dmitruk also pointed out that the MPM prefork is not affected by the flaw. However, the researcher cautioned that the attack surface is large as mod_http2 ships in default builds and HTTP\u002F2 is widely enabled in production deployments. In light of the severity of the flaw, users are advised to apply the latest fixes for optimal protection. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Apache, cybersecurity, denial of service, HTTP2, linux, remote code execution, server security, Vulnerability ⚡ Top Stories This Week Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Messages Vercel Finds More Compromised Accounts in Context.ai-Linked Breach ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking and More Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 Chinese Silk Typhoon Hacker Extradited to U.S. Over COVID Research Cyberattacks Microsoft Patches Entra ID Role Flaw That Enabled Service Principal Takeover Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately ⭐ Featured Resources [Webinar] Stop Chasing Alerts and Start Focusing on Real Exposures [Guide] How to Enable Secure Data Movement Without Added Risk Learn How Hidden Identity Blind Spots Weaken Your Security Systems [Guide] Learn a Practical Framework to Evaluate AI Tools for Production","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fcritical-apache-http2-flaw-cve-2026.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEjL7seGapCGfnl8pFznQajU2KsVPCE19qbtPTJb2sqpOuurkEKNI8ZwUui6QhYmDJODr1F5L7hrpfGBQfsCOT8oC2k_gbjmRPIFWpVZLpJzcdd9nb-UJyNNg4L9LTtEto1sSo3Fn1cIgWxgsH4Xs0GlRJgEt65_Eut7FRv7aQrkqYdJXiE9zDunU2spQOVP\u002Fs1600\u002Fapache.jpg","2026-05-05T16:19:00+00:00","2026-05-05T18:00:16.992146+00:00",9,[18,21,24,26,29],{"name":19,"type":20},"Apache Software Foundation","vendor",{"name":22,"type":23},"Apache HTTP Server","product",{"name":25,"type":23},"mod_http2",{"name":27,"type":28},"HTTP\u002F2","technology",{"name":30,"type":28},"APR (Apache Portable Runtime)","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":31,"icon":33,"name":34,"slug":35},null,"Vulnerabilities","vulnerabilities",[37,42],{"category":38},{"id":39,"icon":33,"name":40,"slug":41},"574f766a-fb3f-487c-8d2c-0720ae75471b","Zero-day","zero-day",{"category":43},{"id":31,"icon":33,"name":34,"slug":35},[45],{"type":46,"value":47,"context":48},"cve","CVE-2026-23918","Critical double-free vulnerability in Apache HTTP Server 2.4.66 mod_http2 enabling DoS and RCE"]