Apache HTTP Server mod_http2 Double-Free Exposes Pre-Auth RCE and DoS Risk
Apache HTTP Server disclosed CVE-2026-23918, a high-severity double-free flaw in mod_http2 affecting version 2.4.66, with researchers showing it can be triggered remotely over a single TCP connection by sending crafted HTTP/2 frames on the same stream. The bug stems from the same h2_stream object being queued twice for cleanup, causing a second apr_pool_destroy on freed memory; on multi-threaded MPM deployments such as event and worker, this can reliably crash worker processes without authentication, while prefork is not affected. Public reporting said denial-of-service is the most practical near-term outcome, but under specific conditions the memory corruption can be developed into pre-authenticated remote code execution.
Apache fixed the issue in version 2.4.67 by preventing duplicate cleanup entries and urged administrators to upgrade immediately. Guidance published alongside the disclosure recommended temporarily disabling HTTP/2 where patching is delayed, using rate limiting or a WAF to reduce opportunistic abuse, and reviewing exposure from related modules after the same release also patched flaws in mod_rewrite, mod_proxy_ajp, mod_md, and mod_dav_lock. At the time of publication, sources said there was no confirmed in-the-wild exploitation, but warned that Apache HTTP Server's broad deployment and common mod_http2 enablement make internet-facing systems attractive targets.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Apache releases HTTP Server 2.4.68
On 2026-06-08, the Apache Software Foundation announced the general availability of Apache HTTP Server 2.4.68 as a security, feature, and bug fix update for the 2.4.x branch. The project recommended upgrading from all previous releases and noted that the 2.2.x branch is end-of-life.
Striga publishes technical analysis of CVE-2026-23918
Striga published a detailed writeup explaining how two HTTP/2 frames on the same stream can trigger the mod_http2 double-free remotely over a single TCP connection. The research also described how the bug could be developed toward RCE on APR mmap allocator builds when paired with an information leak.
Apache releases HTTP Server 2.4.67 with fixes
Apache released version 2.4.67 to fix CVE-2026-23918 and other vulnerabilities. The fix for the mod_http2 issue deduplicates cleanup entries before adding them to the internal spurge array.
Apache bug 69899 reported as a stability issue
The underlying mod_http2 double-free issue was previously reported to Apache as Bugzilla 69899 in December 2025, but it was treated as a stability bug and did not receive a CVE at that time.
Apache discloses CVE-2026-23918
On 2026-05-04, Apache disclosed CVE-2026-23918 affecting Apache HTTP Server 2.4.66. The flaw is a mod_http2 double-free that can lead to denial of service and, under certain conditions, unauthenticated remote code execution.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Apache HTTP Server vulnerabilities CVE-2026-24072 and CVE-2026-23918
my.f5.com
Open source[ANNOUNCEMENT] Apache HTTP Server 2.4.68 Released
mail-archive.com
Open sourceFor a Fistful of Dollars: Less than $100 of Compute Surfaces Pre-auth RCE in Apache httpd
striga.ai
Open sourceApache HTTP Server RCE Vulnerability: Critical Patch for CVE-2026-23918 | The CyberSec Guru
thecybersecguru.com
Open sourceCritical Vulnerability in Apache HTTP Server Disclosed (CVE-2026-23918)
labs.beazley.security
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apache HTTP Server fixes HTTP/2 double-free flaw with possible RCE
The Apache Software Foundation released **Apache HTTP Server 2.4.67** to fix five vulnerabilities, led by **`CVE-2026-23918`**, an important- to high-severity flaw in the HTTP/2 implementation. Apache said the bug is a **double free** triggered by an early reset that could lead to **remote code execution**, and that it affects **version 2.4.66**. The issue was reported in December 2025 and fixed shortly afterward, with public disclosure following on the `oss-sec` mailing list; Bartlomiej Dmitruk of striga.ai and Stanislaw Strzalkowski of isec.pl were credited with finding it. The 2.4.67 release also patches **`CVE-2026-24072`** in `mod_rewrite`, which can allow local `.htaccess` authors to read arbitrary files as the `httpd` user, along with lower-severity issues in `mod_proxy_ajp`, `mod_md`, and `mod_dav_lock`. Apache and downstream reporting urged organizations running **2.4.66 or earlier** to upgrade immediately, while temporary mitigations for environments that cannot patch at once include disabling **HTTP/2**, removing `mod_dav_lock`, and reviewing `.htaccess` permissions.
May 8, 2026
HTTP/2 Bomb DoS Flaw Exposes Apache and Major Web Servers to Memory Exhaustion
A newly disclosed denial-of-service vulnerability dubbed **HTTP/2 Bomb** (`CVE-2026-49975`) can let unauthenticated attackers crash vulnerable servers by abusing HTTP/2 header compression and flow-control behavior to amplify small requests into large in-memory allocations. Researchers said the flaw affects widely deployed infrastructure including **nginx**, **Apache httpd**, **Microsoft IIS**, **Envoy**, and **Cloudflare Pingora**, with early Internet scans identifying more than **880,000** potentially exposed websites. Security firms reported reconnaissance activity in the wild, and sectors with large numbers of Internet-facing systems—especially **telecommunications, IT, and healthcare**—were flagged as particularly exposed. A public proof-of-concept is now available for **Apache HTTP Server**, where affected versions **2.4.17 through 2.4.67** can be forced into sustained memory exhaustion through crafted HTTP/2 cookie headers and a zero-window flow-control technique that prevents resources from being released. Apache fixed the issue in **2.4.68**, while other vendors have rolled out patches or mitigations on uneven timelines, including earlier fixes from nginx and Apache, a next-day patch from Envoy, a later mitigation from Microsoft, and no patch yet reported for Cloudflare at the time of coverage. Defenders are being urged to **upgrade immediately**, consider temporarily disabling HTTP/2 where feasible, and watch for abnormal memory growth and other signs of attempted DoS activity.
Jun 18, 2026
Apache HTTP Server 2.4.68 fixes 13 flaws across HTTP/2, proxy, SSL, LDAP, and WebDAV
The Apache Software Foundation released **Apache HTTP Server 2.4.68** to patch 13 vulnerabilities affecting versions prior to `2.4.68`, with many issues spanning `2.4.0` through `2.4.67`. The flaws span multiple modules, including `mod_http2`, `mod_proxy_ftp`, `mod_proxy_html`, `mod_ssl`, `mod_ldap`, `mod_dav_fs`, `mod_xml2enc`, and `mod_headers`, and include use-after-free, heap and buffer overflows, out-of-bounds reads, denial-of-service conditions, cross-site scripting, privilege-escalation and path-handling weaknesses. Apache and national defenders, including Canada’s Cyber Centre, urged administrators to review the advisory and upgrade because workarounds are unavailable for most of the issues. Notable CVEs include `CVE-2026-49975`, a `mod_http2` denial-of-service bug triggered by excessive size values in malicious HTTP/2 requests; `CVE-2026-48913`, a `mod_http2` memory-corruption issue when file handles are exhausted; `CVE-2026-34355` and `CVE-2026-34356`, buffer-overflow flaws tied to untrusted backend systems in `mod_proxy_html` and `ProxyPassReverseCookie*`; `CVE-2026-44631`, a heap underflow in `ap_regname` caused by crafted regular expressions; `CVE-2026-29167`, a `mod_ldap` per-directory use-after-free; `CVE-2026-29170` and `CVE-2026-44186` in `mod_proxy_ftp`; `CVE-2026-44185` in `mod_ssl` OCSP handling; and `CVE-2026-42535` in `mod_dav_fs`. The release also ships non-security changes such as OpenSSL 4.0 support and `mod_http2` updates, but the immediate priority for exposed environments is upgrading all Apache HTTP Server deployments to `2.4.68`.
Jun 9, 2026