ThreatLevelBeta
Planned Fix

CVE-2026-23918

Remote Code Execution in Apache HTTP Server
Loading...

Summary

Double free in Apache HTTP Server's HTTP/2 handling can corrupt memory in the httpd process. It affects Apache HTTP Server 2.4.66 when HTTP/2 is enabled. A remote attacker can send crafted HTTP/2 traffic that hits the early-reset path and may lead to remote code execution without user interaction.

Why Planned Fix?

4/6
No authentication required
Commonly internet-facing deployment
No user interaction needed
Not exploitable in default configuration
No active exploitation or PoC
High impact vulnerability

Exploitation Details

Type
RCE (Remote Code Execution)
Is exploitable with default configuration?
No
Is authentication needed?
No
PoC / Exploit
No
Impact

Execute arbitrary code as the Apache worker user.

RCE (Remote Code Execution)
Exploitation Requirements
  • HTTP/2 enabled (mod_http2 loaded and Protocols includes h2/h2c)
Exploitation Process

A remote attacker connects to an Apache HTTP Server instance with HTTP/2 enabled and sends crafted HTTP/2 traffic that drives a stream into the early-reset cleanup path. That path triggers a double free in mod_http2, which can corrupt heap state in the server process. With successful heap shaping, the attacker may turn the memory corruption into code execution in the httpd worker process.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
0

Affected Software

Vendor:Apache Software Foundation
ProductAffected Versions
Apache HTTP Server2.4.66
Description

Open-source web server and reverse proxy used to serve websites, applications, and HTTP APIs.

Deployment:Commonly internet-facing
|
Protocol:HTTP/2
|
Ports:80, 443
Affected ComponentHTTP/2 stream handling in mod_http2, especially the early reset cleanup path.

HTTP/2 stream handling in mod_http2, especially the early reset cleanup path.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Medium
Remediation
Workaround

Not available

Patch

Not available

Update
Upgrade Apache HTTP Server to 2.4.67 or later; version 2.4.67 fixes CVE-2026-23918.

Upgrade Apache HTTP Server to 2.4.67 or later; version 2.4.67 fixes CVE-2026-23918.

httpd.apache.org
Threat Intelligence
EPSS Score0.1%

Probability of exploitation in the next 30 days

EPSS Percentile19%

Worse than 19% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Not Listed
Active Exploitation
No Evidence
Threat Actors

No known threat actors

Detection Rules

No detection rules available

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

CVSS Base Score

8.8
High

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-415 Double Free
|
NVD:CVE-2026-23918
|
Version From:
|
Version Upto:

Affected Software (CPE) (1)

  • cpe:2.3:a:apache:http_server:2.4.66:*:*:*:*:*:*:*

Sources

6
SourceArticle
httpd.apache.orgApache HTTP Server 2.4 vulnerabilities
nvd.nist.govCVE-2026-23918 Detail
httpd.apache.orgApache Module mod_http2
seclists.orgoss-sec: CVE-2026-23918
ubuntu.comCVE-2026-23918
thehackernews.comCritical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE

Priority History

Planned FixLoading...

Initial analysis