Apache HTTP Server fixes HTTP/2 double-free flaw with possible RCE
The Apache Software Foundation released Apache HTTP Server 2.4.67 to fix five vulnerabilities, led by CVE-2026-23918, an important- to high-severity flaw in the HTTP/2 implementation. Apache said the bug is a double free triggered by an early reset that could lead to remote code execution, and that it affects version 2.4.66. The issue was reported in December 2025 and fixed shortly afterward, with public disclosure following on the oss-sec mailing list; Bartlomiej Dmitruk of striga.ai and Stanislaw Strzalkowski of isec.pl were credited with finding it.
The 2.4.67 release also patches CVE-2026-24072 in mod_rewrite, which can allow local .htaccess authors to read arbitrary files as the httpd user, along with lower-severity issues in mod_proxy_ajp, mod_md, and mod_dav_lock. Apache and downstream reporting urged organizations running 2.4.66 or earlier to upgrade immediately, while temporary mitigations for environments that cannot patch at once include disabling HTTP/2, removing mod_dav_lock, and reviewing .htaccess permissions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Striga publishes technical analysis and exploitation details for CVE-2026-23918
On 2026-05-06, Striga published a write-up describing how an early HEADERS plus RST_STREAM sequence in mod_http2 could enqueue the same h2_stream pointer twice for cleanup, leading to a double free. The post also claimed a single connection with two HTTP/2 frames could crash a worker process and that lab testing achieved code execution with known system() and scoreboard addresses.
Apache publicly discloses CVE-2026-23918 on oss-sec
Apache publicly disclosed CVE-2026-23918 on the oss-sec mailing list on 2026-05-04. The advisory described the flaw as an important-severity HTTP/2 double free with possible remote code execution on early reset.
Apache releases HTTP Server 2.4.67 with CVE-2026-23918 patch
On 2026-05-04, the Apache Software Foundation released Apache HTTP Server 2.4.67, patching five vulnerabilities including CVE-2026-23918. Apache recommended upgrading from 2.4.66 to 2.4.67 to remediate the HTTP/2 double-free issue.
Apache fixes CVE-2026-23918 shortly after report
Apache fixed CVE-2026-23918 shortly after it was reported in December 2025. The issue affected Apache HTTP Server 2.4.66 and the remediation was prepared for a later public release.
Researchers report Apache HTTP Server HTTP/2 double-free flaw
Bartlomiej Dmitruk of striga.ai and Stanislaw Strzalkowski of isec.pl reported CVE-2026-23918 to Apache in December 2025. The flaw is a double free in Apache HTTP Server's HTTP/2 handling that could lead to remote code execution on early reset.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
13 references tracked. Mallory keeps watching after this page renders.
Apache fixes critical HTTP/2 vulnerability allowing remote code execution | brief | SC Media
scworld.com
Open sourceCVE-2026-23918: Apache HTTP/2 Vulnerability
socprime.com
Open sourceApache fixes critical HTTP/2 double-free flaw CVE-2026-23918 enabling RCE
securityaffairs.com
Open sourceCritical Apache HTTP/2 Double-Free Flaw Enables Denial-of-Service and Potential Remote Code Execution
darkwebinformer.com
Open source[no-title]
downloads.apache.org
Open source� Apache httpd 2.4.67 ��������� ���������� � HTTP/2, �� ����������� ���̣���� ���������� ����
opennet.me
Open sourceoss-sec: CVE-2026-23918: Apache HTTP Server: http2: double free and possible RCE on early reset
seclists.org
Open sourceoss-security - CVE-2026-23918: Apache HTTP Server: http2: double free and possible RCE on early reset
openwall.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apache HTTP Server mod_http2 Double-Free Exposes Pre-Auth RCE and DoS Risk
Apache HTTP Server disclosed **CVE-2026-23918**, a high-severity double-free flaw in `mod_http2` affecting version `2.4.66`, with researchers showing it can be triggered remotely over a single TCP connection by sending crafted HTTP/2 frames on the same stream. The bug stems from the same `h2_stream` object being queued twice for cleanup, causing a second `apr_pool_destroy` on freed memory; on multi-threaded MPM deployments such as **event** and **worker**, this can reliably crash worker processes without authentication, while **prefork** is not affected. Public reporting said denial-of-service is the most practical near-term outcome, but under specific conditions the memory corruption can be developed into pre-authenticated remote code execution. Apache fixed the issue in **version 2.4.67** by preventing duplicate cleanup entries and urged administrators to upgrade immediately. Guidance published alongside the disclosure recommended temporarily disabling **HTTP/2** where patching is delayed, using rate limiting or a WAF to reduce opportunistic abuse, and reviewing exposure from related modules after the same release also patched flaws in `mod_rewrite`, `mod_proxy_ajp`, `mod_md`, and `mod_dav_lock`. At the time of publication, sources said there was **no confirmed in-the-wild exploitation**, but warned that Apache HTTP Server's broad deployment and common `mod_http2` enablement make internet-facing systems attractive targets.
Jun 10, 2026
Apache HTTP Server 2.4.68 fixes 13 flaws across HTTP/2, proxy, SSL, LDAP, and WebDAV
The Apache Software Foundation released **Apache HTTP Server 2.4.68** to patch 13 vulnerabilities affecting versions prior to `2.4.68`, with many issues spanning `2.4.0` through `2.4.67`. The flaws span multiple modules, including `mod_http2`, `mod_proxy_ftp`, `mod_proxy_html`, `mod_ssl`, `mod_ldap`, `mod_dav_fs`, `mod_xml2enc`, and `mod_headers`, and include use-after-free, heap and buffer overflows, out-of-bounds reads, denial-of-service conditions, cross-site scripting, privilege-escalation and path-handling weaknesses. Apache and national defenders, including Canada’s Cyber Centre, urged administrators to review the advisory and upgrade because workarounds are unavailable for most of the issues. Notable CVEs include `CVE-2026-49975`, a `mod_http2` denial-of-service bug triggered by excessive size values in malicious HTTP/2 requests; `CVE-2026-48913`, a `mod_http2` memory-corruption issue when file handles are exhausted; `CVE-2026-34355` and `CVE-2026-34356`, buffer-overflow flaws tied to untrusted backend systems in `mod_proxy_html` and `ProxyPassReverseCookie*`; `CVE-2026-44631`, a heap underflow in `ap_regname` caused by crafted regular expressions; `CVE-2026-29167`, a `mod_ldap` per-directory use-after-free; `CVE-2026-29170` and `CVE-2026-44186` in `mod_proxy_ftp`; `CVE-2026-44185` in `mod_ssl` OCSP handling; and `CVE-2026-42535` in `mod_dav_fs`. The release also ships non-security changes such as OpenSSL 4.0 support and `mod_http2` updates, but the immediate priority for exposed environments is upgrading all Apache HTTP Server deployments to `2.4.68`.
Jun 9, 2026
HTTP/2 Bomb DoS Flaw Exposes Apache and Major Web Servers to Memory Exhaustion
A newly disclosed denial-of-service vulnerability dubbed **HTTP/2 Bomb** (`CVE-2026-49975`) can let unauthenticated attackers crash vulnerable servers by abusing HTTP/2 header compression and flow-control behavior to amplify small requests into large in-memory allocations. Researchers said the flaw affects widely deployed infrastructure including **nginx**, **Apache httpd**, **Microsoft IIS**, **Envoy**, and **Cloudflare Pingora**, with early Internet scans identifying more than **880,000** potentially exposed websites. Security firms reported reconnaissance activity in the wild, and sectors with large numbers of Internet-facing systems—especially **telecommunications, IT, and healthcare**—were flagged as particularly exposed. A public proof-of-concept is now available for **Apache HTTP Server**, where affected versions **2.4.17 through 2.4.67** can be forced into sustained memory exhaustion through crafted HTTP/2 cookie headers and a zero-window flow-control technique that prevents resources from being released. Apache fixed the issue in **2.4.68**, while other vendors have rolled out patches or mitigations on uneven timelines, including earlier fixes from nginx and Apache, a next-day patch from Envoy, a later mitigation from Microsoft, and no patch yet reported for Cloudflare at the time of coverage. Defenders are being urged to **upgrade immediately**, consider temporarily disabling HTTP/2 where feasible, and watch for abnormal memory growth and other signs of attempted DoS activity.
Jun 18, 2026