Apache has patched CVE-2026-23918 (CVSS 8.8), a double-free vulnerability in the mod_http2 module of Apache HTTP Server 2.4.66 that can be trivially exploited to cause a Denial-of-Service condition and, under the default Debian-derived Linux configuration, enables Remote Code Execution. The vulnerability affects one of the most widely deployed web server platforms in the world — Apache HTTP Server powers an estimated 32–37% of all active web servers globally. The fix ships in Apache HTTP Server 2.4.67, released May 4, 2026.
The flaw was discovered by Bartlomiej Dmitruk of Striga.ai and Stanislaw Strzalkowski of ISEC.pl, who reported it December 10, 2025. A patch was committed the following day, but public disclosure and the patched release were held until May 4, 2026. No active exploitation has been reported.
How CVE-2026-23918 Corrupts Memory in the mod_http2 Stream Cleanup Path
The vulnerability resides in h2_mplx.c, the multiplexing component of Apache’s HTTP/2 implementation. The flaw is triggered by a specific early stream reset sequence: an attacker sends an HTTP/2 HEADERS frame immediately followed by RST_STREAM with a non-zero error code on the same stream, before the multiplexer has registered the stream.
This sequence causes the stream to be freed twice — a double-free condition — in which the same memory region is released to the allocator while still in active use. At minimum, this terminates the affected Apache worker process, producing a Denial-of-Service. An attacker can trigger this condition repeatedly to keep a server degraded or offline.
When Debian’s Default mmap Allocator Turns Denial-of-Service Into Code Execution
The path from double-free to Remote Code Execution depends on which memory allocator Apache’s Portable Runtime (APR) is using. On Debian-derived Linux distributions — Debian, Ubuntu, and their derivatives — APR defaults to the mmap allocator. This allocator is standard across a large share of production Apache deployments on Linux.
When the mmap allocator is in use, the freed virtual address remains mapped and predictable. Dmitruk and Strzalkowski demonstrated that an attacker can place a fake h2_stream struct at the freed virtual address and redirect its pool cleanup function pointer to system(), achieving arbitrary command execution with the privileges of the Apache process.
On non-Debian systems using alternative allocators, exploitation for RCE is not straightforward. However, organizations running Apache on Debian, Ubuntu, Raspberry Pi OS, Linux Mint, or any Debian-derived distribution should treat CVE-2026-23918 as a potential RCE vulnerability, not merely a DoS.
The Six-Month Coordinated Disclosure Window
Dmitruk and Strzalkowski reported the vulnerability on December 10, 2025. The Apache HTTP Server project committed a fix the following day, December 11, 2025, but coordinated with the researchers to hold public disclosure until the patched 2.4.67 release on May 4, 2026 — a roughly six-month window during which knowledge of the flaw was held to a small group.
The oss-security mailing list disclosure on May 4 provides full technical details of the vulnerability, including the conditions required for RCE beyond DoS.
CVE-2026-23918 Scope: Apache HTTP Server 2.4.66 with mod_http2, Fixed in 2.4.67
Affected: Apache HTTP Server 2.4.66 with mod_http2 enabled.
Fixed in: Apache HTTP Server 2.4.67, released May 4, 2026.
Administrators who have mod_http2 disabled are not exposed to this specific vulnerability. However, HTTP/2 is enabled by default on most modern Apache deployments and is required for modern browser performance. Disabling it as a mitigation is not practical for most production environments.
Why There Is No Configuration-Level Workaround
The double-free occurs in core mod_http2 stream lifecycle code and cannot be disabled through configuration without entirely disabling HTTP/2 support. The Apache Software Foundation recommends upgrading to 2.4.67 as the only complete remediation. No intermediate patch or configuration setting addresses the underlying memory corruption condition.
Organizations running Apache on Debian-derived Linux distributions should treat this upgrade as a priority given the practical RCE path under default allocator settings.
