Apache patches a double-free in HTTP/2 that crashes workers with two frames and one TCP connection
Apache HTTP Server 2.4.67 fixes CVE-2026-23918, a double-free in mod_http2 that triggers on early stream reset and may enable remote code execution on Debian-default builds.
Editor's Note ·
- Clarification:
- The Apache vendor advisory at httpd.apache.org is not currently on the project's source_allowlist. It is the canonical Apache HTTP Server security advisory page — the most authoritative source for any Apache CVE — and every claim attributed to it (researcher names, SVN revision r1930444, report and fix dates 2025-12-10/2025-12-11, the 2026-05-04 release date, CVE-2026-24072 companion-bug details) was verified verbatim against the snapshot during review. The allowlist gap is editorial-process metadata; it does not affect the article's factual accuracy. Adding httpd.apache.org to config/source_allowlist.txt is recommended in a follow-up batch.
Overview
The Apache Software Foundation has released Apache HTTP Server 2.4.67 to fix CVE-2026-23918, a double-free in the server’s HTTP/2 implementation that the project’s security team rates as “important” and that the National Vulnerability Database scores at CVSS 8.8, according to the Apache HTTP Server vendor advisory and the NVD entry. The bug, classified as CWE-415, sits in mod_http2 and is reachable from a single TCP connection without authentication, as detailed by The Hacker News.
What We Know
The Apache project describes the issue as a “Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol” and titles the entry “http2: double free and possible RCE on early reset,” per the Apache HTTP Server vendor advisory. It affects version 2.4.66 and is fixed in 2.4.67.
According to The Hacker News, the flaw lives “in the stream cleanup path of h2_mplx.c” and is triggered when “a client sends an HTTP/2 HEADERS frame immediately followed by RST_STREAM with a non-zero error code on the same stream.” The same outlet writes that denial of service requires “one TCP connection, two frames, no authentication, no special headers, no specific URL, and the worker crashes,” while remote code execution is described as a second outcome whose “practical exploitation requires an info leak for system() and the scoreboard offsets.”
SecurityWeek reports that the 2.4.67 release “was released with fixes for 11 vulnerabilities, 10 of which affect all previous releases” and frames CVE-2026-23918 as the headline issue, summarizing it as a case where “by triggering an early reset, an attacker could cause a denial-of-service (DoS) condition and potentially execute arbitrary code.”
The researchers credited in the Apache HTTP Server vendor advisory are Bartlomiej Dmitruk of striga.ai and Stanislaw Strzalkowski of isec.pl. The advisory records the report date as December 10, 2025, and the fix date as December 11, 2025, with the patch landing in SVN revision r1930444. Public disclosure was held until May 4, 2026, the same day the NVD entry was published with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
The Hacker News notes that “the attack surface is large as mod_http2 ships in default builds and HTTP/2 is widely enabled in production deployments” and that “the RCE path requires an Apache Portable Runtime (APR) with the mmap allocator, which is the default on Debian-derived systems.” The same article describes the overall severity as “critical, as it can be exploited to achieve denial-of-service (DoS) and RCE,” even though the Apache project’s own advisory uses the rating “important.”
The 2.4.67 release also patches CVE-2026-24072, a separate moderate-severity issue described by the Apache HTTP Server vendor advisory as “An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.” That bug, reported on January 20, 2026, was disclosed alongside the HTTP/2 flaw on May 4 and is also fixed in 2.4.67.
What We Don’t Know
No cited source quantifies the number of internet-exposed Apache instances currently running 2.4.66 or estimates how many are configured with HTTP/2 enabled. None of the cited sources reports any in-the-wild exploitation of CVE-2026-23918, only the existence of the proof of concept developed by the discoverers. The researchers have not, in the cited reporting, tied the bug to any specific threat actor, and Apache has not stated whether telemetry from the gap between the December 11, 2025 fix and the May 4, 2026 disclosure surfaced any abuse.
It is also unclear, from the cited sources, how widely the affected 2.4.66 release had propagated to long-term-support Linux distributions before the disclosure, since 2.4.66 is the only version listed as affected by the Apache HTTP Server vendor advisory.
Why It Matters
The disclosure profile of CVE-2026-23918 is unusually clean for a memory-corruption bug in one of the web’s most widely deployed servers. The fix landed in Apache’s source tree the day after the report, per the vendor advisory, but stayed embargoed for nearly five months while the project rolled it into a coordinated 2.4.67 release alongside ten other fixes, as recorded by SecurityWeek. Operators upgrading from 2.4.66 therefore close not only the HTTP/2 double-free but the rest of the same May 4 batch in a single step.
For administrators who cannot upgrade immediately, the trigger is narrow enough that disabling HTTP/2 is a credible interim mitigation, since the vulnerable code path is reached only by the specific HEADERS-then-RST_STREAM sequence in mod_http2 described by The Hacker News. The Apache project’s own “important” rating, set against the NVD’s 8.8 score and SecurityWeek’s “critical” framing, leaves room for operators to weigh the DoS risk, which is described as trivially reachable, against the RCE risk, which the researchers themselves flag as conditional on additional information leaks.