Apache httpd CVE-2026-23918: HTTP/2 Double-Free Puts Millions of Servers at RCE Risk

The Apache HTTP Server team shipped 2.4.67 yesterday with a fix for CVE-2026-23918, a double-free in mod_http2 that lets a remote, unauthenticated attacker corrupt the heap of any server running 2.4.66 with HTTP/2 enabled. CVSS sits at 8.8. The advisory acknowledges DoS is trivial and RCE is “possible.” Given how widely Apache is deployed in front of internal apps, reverse proxies, and CDN origins, this is the patch to push tonight.

What happened

The bug lives in h2_mplx.c, in the stream cleanup path that runs when a client sends an HTTP/2 RST_STREAM frame to abort a request before the server finishes processing it — the so-called “early reset” pattern that gave us the Rapid Reset DDoS class in 2023. In 2.4.66, an early reset can cause mod_http2 to release the same stream memory region twice. The freed-then-freed-again allocation hands an attacker a tunable heap corruption primitive.

Bartlomiej Dmitruk (striga.ai) and Stanislaw Strzalkowski (isec.pl) reported the flaw to the Apache security team on December 10, 2025. A fix was committed the next day. The public disclosure waited until 2.4.67 shipped on May 4, 2026, alongside ten other CVEs (CVE-2026-24072, CVE-2026-28780, CVE-2026-29168, CVE-2026-29169, CVE-2026-33006, CVE-2026-33007, CVE-2026-33523, CVE-2026-33857, CVE-2026-34032, CVE-2026-34059).

Why DoS is the easy case and RCE is harder but real

Knocking the worker process over is straightforward: trigger the early-reset condition under load, the heap corrupts, the child segfaults, repeat. With mod_http2 defaulting to multiple concurrent streams per connection, a single TCP session is enough to keep crashing workers in a loop.

The RCE path is where the technical detail matters. Apache’s scoreboard — the shared-memory structure used to coordinate worker state — sits at a fixed virtual address for the lifetime of the server, even with ASLR turned on. That’s the anchor point that makes practical exploitation viable: an attacker who can shape the heap around the freed allocation has a known, stable target to overwrite into. The catches are the usual ones for a heap exploit of this kind: you need an information leak to find system() and the exact scoreboard offsets for the build you’re targeting, and the heap spray is probabilistic. None of those are blockers for a motivated attacker who has already weaponized similar primitives in nginx and Apache before.

No public exploitation has been reported as of this writing. Proof-of-concept code typically follows within days of a high-severity httpd disclosure.

Who’s affected

Anyone running Apache HTTP Server 2.4.66 with mod_http2 loaded. That is the default in most distro packages once HTTP/2 is enabled, which it usually is — modern browsers and most CDNs negotiate h2 by preference. The vulnerability is pre-auth and reachable on any port that speaks HTTPS with HTTP/2 ALPN.

The blast radius includes a lot of things you don’t normally think of as “Apache”:

• Standalone web servers and reverse proxies in front of application stacks
• cPanel/WHM and Plesk installations (cPanel just got mauled by a separate auth-bypass last week, so any operator running both 2.4.66 and an unpatched cPanel is in a particularly bad spot)
• Apache-based load balancers fronting Kubernetes ingress
• CDN origins where the edge speaks h2 to the customer and h2 back to the origin Apache
• Embedded appliances (firewalls, NAS boxes, hypervisor management UIs) that ship httpd internally

Mitigation

The complete fix is to upgrade to Apache HTTP Server 2.4.67. The Apache project recommends this as the only full mitigation across all five HTTP/2-related issues in this batch.

If you cannot upgrade immediately, disabling HTTP/2 closes this specific path. In httpd.conf:

1
2
3
4

# Remove h2 from the protocols line, keep http/1.1
Protocols http/1.1
# And/or unload mod_http2
# LoadModule http2_module modules/mod_http2.so

Restart cleanly afterwards. This will downgrade clients to HTTP/1.1, which costs you some performance but eliminates the attack surface. WAFs that inspect HTTP/2 framing can blunt some exploitation attempts but will not reliably detect the early-reset pattern that triggers the bug, so don’t treat that as a substitute for patching.

If you front Apache with a TLS-terminating proxy that only speaks h1 to the origin, you’re not directly exposed via this CVE — but you’re still exposed to the other ten CVEs in 2.4.67, several of which affect the HTTP/1.1 path. Patch anyway.

What to check tonight

Inventory every Apache instance you have, including the ones embedded in vendor appliances. httpd -v gives you the version. If anything is on 2.4.66, schedule the upgrade now. If you can’t get to 2.4.67 in the next 24 hours, drop HTTP/2 from the protocols list as the bridge.

References

• Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE — The Hacker News
• oss-security disclosure thread
• Apache HTTP Server 2.4 vulnerabilities advisory
• Apache HTTP Server 2.4.67 release announcement
• Technical deep-dive on CVE-2026-23918 — securityonline.info