Apache Software Foundation has released a security update for Apache HTTP Server that fixes a critical vulnerability CVE-2026-23918 (CVSS 8.8) — a double-free bug in the mod_http2 module that allows an attacker to cause a denial of service and, under certain conditions, achieve remote code execution. Version 2.4.66 is affected; the fix is available in version 2.4.67. Given that mod_http2 is enabled in standard Apache builds and HTTP/2 is widely used in production environments, the potential attack surface is very large.

Technical details of the vulnerability

According to the entry in the NVD, CVE-2026-23918 is a double-free vulnerability in HTTP/2 protocol handling. According to the researchers who discovered the issue, the bug is located in the stream cleanup path in the file h2_mplx.c.

The trigger mechanism is reported to be as follows: a client sends an HTTP/2 HEADERS frame immediately followed by an RST_STREAM with a non-zero error code on the same stream — before the multiplexer has time to register the stream. As a result, two nghttp2 callbacks (on_frame_recv_cb and on_stream_close_cb) sequentially call the same cleanup function, placing the same h2_stream pointer into the cleanup array twice. During the subsequent iteration over the array, the second apr_pool_destroy call accesses memory that has already been freed.

Two exploitation scenarios

The researchers describe two possible impacts:

• Denial of Service (DoS) — according to the researchers, this is trivially achievable: a single TCP connection and two frames are sufficient, with no authentication or special headers required. The Apache worker process crashes; although the server restarts it, all requests being handled by that process are lost. The attack can be sustained continuously. This vector is presumed to work on any standard deployment with mod_http2 and a multithreaded MPM model.
• Remote Code Execution (RCE) — the researchers report that they created a working proof of concept on x86_64 architecture. The exploitation chain is believed to use memory reallocation via mmap to place a forged h2_stream structure at the freed virtual address, redirecting the pool cleanup function pointer to system(). According to the researchers, Apache scoreboard memory is used as a stable container for the forged structures and command string; it resides at a fixed address for the entire lifetime of the server even with ASLR enabled.

Important caveat: the details of the RCE exploitation chain are based on the researchers’ statements and have not been independently confirmed via an official Apache advisory. The researchers themselves note that practical RCE exploitation requires an information leak to determine the address of system() and scoreboard offsets, and that the heap-spray technique is probabilistic. Nevertheless, they claim that in lab conditions, code execution can be achieved within minutes.

Affected configurations and scale

The vulnerability affects Apache HTTP Server 2.4.66 with the mod_http2 module enabled. According to the researchers, the RCE exploitation path requires Apache Portable Runtime (APR) with the mmap allocator, which is presumably used by default on Debian-based systems and in the official httpd Docker image.

It is reported that the MPM prefork model is not affected by this vulnerability, whereas the multithreaded MPM models (event, worker), which are standard for modern deployments, are at risk.

At the time of publication, CVE-2026-23918 has not been added to the CISA KEV catalog, and there is no confirmed data on active exploitation in the wild. Exploitation status — unknown.

Impact assessment

Apache HTTP Server remains one of the most widely used web servers in the world. A combination of several factors makes this vulnerability particularly significant:

• The mod_http2 module is enabled in standard Apache builds
• HTTP/2 is actively used in production environments
• The DoS vector does not require authentication and uses a minimal number of network packets
• A CVSS score of 8.8 indicates high criticality

Organizations most at risk are those using Apache HTTP Server 2.4.66 with HTTP/2 in publicly accessible services — web hosting, CDN nodes, reverse proxy servers and API gateways.

Mitigation recommendations

1. Update Apache HTTP Server to version 2.4.67 — this is the primary measure to remediate the vulnerability.
2. If immediate updating is not possible, consider temporarily disabling mod_http2 by commenting out the LoadModule http2_module directive in the server configuration. This will eliminate the attack vector at the cost of giving up HTTP/2.
3. Check which MPM model you use: the command apachectl -V | grep MPM will show the current configuration. According to the researchers, prefork is not affected by the vulnerability, although this has not been confirmed in the vendor’s official advisory.
4. Monitoring: track abnormal terminations of Apache worker processes and spikes in HTTP/2 connections with immediate stream resets — this may indicate attempts to exploit the DoS vector.

Given the CVSS score of 8.8 and the triviality of DoS exploitation, upgrading to Apache HTTP Server 2.4.67 should be treated as a priority. Organizations running publicly accessible Apache instances with HTTP/2 are advised to perform the update within the next few days, without waiting for confirmed reports of exploitation in the wild. Further details about the vulnerability are available in the NVD entry for CVE-2026-23918.