CVE-2026-23918, a CVSS 8.8 double-free vulnerability in the mod_http2 module of Apache HTTP Server 2.4.66, causes denial of service on default multi-threaded deployments and confirmed remote code execution on systems using the APR mmap allocator — including Debian and official Apache Docker images. Researchers Bartlomiej Dmitruk of Striga.ai and Stanislaw Strzalkowski of ISEC.pl discovered the flaw and demonstrated a working proof-of-concept achieving RCE in lab conditions. The vulnerability is fixed in Apache HTTP Server 2.4.67.
CVE-2026-23918: Double-Free in HTTP/2 Stream Cleanup Triggered by HEADERS-Then-RST_STREAM Sequence
The vulnerability exists in the h2_mplx.c source file of Apache’s mod_http2 module. When a client sends an HTTP/2 HEADERS frame immediately followed by an RST_STREAM frame with a non-zero error code, the server’s stream cleanup path performs a double-free operation — freeing the same memory allocation twice. The double-free produces undefined behavior that on default Apache deployments using multi-threaded MPM causes an immediate denial of service, crashing the server process.
On systems where Apache is compiled against APR with the mmap allocator — the configuration used in Debian packages and official Apache httpd Docker images — researchers demonstrated that the double-free translates to a working proof-of-concept achieving remote code execution. No active exploitation had been confirmed at the time of the May 5, 2026 disclosure but the public availability of the PoC significantly increases the likelihood of exploitation attempts against unpatched systems.
Which Apache Deployments Face Remote Code Execution vs. Denial of Service
The distinction in impact between DoS and RCE depends on the memory allocator in use:
- Default multi-threaded MPM deployments: Double-free causes denial of service — crash of the server process, recoverable by process restart
- Debian-packaged Apache and official Apache httpd Docker images (APR mmap allocator): Researchers confirmed working RCE in lab conditions
Production environments running Apache on Debian-based Linux distributions or deployed via the official Docker image are in the RCE exposure category. The RCE requires no authentication — only the ability to send HTTP/2 traffic to the affected server.
Apache 2.4.67 Patches CVE-2026-23918 — Priority for Debian and Docker Deployments
CVE-2026-23918 is fixed in Apache HTTP Server 2.4.67, disclosed May 5, 2026. Organizations running Apache 2.4.66 with mod_http2 enabled should prioritize upgrading to 2.4.67. Debian and Docker-based Apache deployments face the higher-severity RCE risk and should treat this upgrade as urgent given the public PoC availability confirmed at the time of disclosure.
Apache HTTP Server is among the most widely deployed web servers globally. The RCE condition, while dependent on the APR mmap allocator configuration, applies broadly to production environments using Debian-sourced or Docker-based Apache installations — configurations common in cloud and containerized workloads.
CVE-2026-23918 Discovered by Dmitruk of Striga.ai and Strzalkowski of ISEC.pl — PoC Included in Disclosure
The vulnerability was discovered by Bartlomiej Dmitruk of Striga.ai and Stanislaw Strzalkowski of ISEC.pl. The researchers developed a working RCE proof-of-concept, which was included in the responsible disclosure package. No active exploitation was confirmed by the researchers or Apache at the time of the May 5, 2026 public disclosure.
