AI description
CVE-2026-23918 is a double-free vulnerability found in Apache HTTP Server's `mod_http2` module, specifically within the HTTP/2 protocol handling. This flaw affects Apache HTTP Server version 2.4.66. The vulnerability is triggered when a client sends an HTTP/2 HEADERS frame immediately followed by an RST_STREAM frame with a non-zero error code on the same stream, before the stream has been fully registered by the multiplexer. This sequence causes the `h2_stream` pointer to be pushed onto a cleanup array twice, leading to a double-free when `c1_purge_streams` attempts to destroy the stream and its associated memory pool a second time. Exploitation of this vulnerability can lead to a denial-of-service condition, where the Apache worker crashes, dropping requests. Additionally, it can potentially enable remote code execution by manipulating the freed memory to place a fake `h2_stream` structure and execute arbitrary commands. The issue has been addressed in Apache HTTP Server version 2.4.67, and users of affected versions are recommended to upgrade.
- Description
- Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
- Source
- security@apache.org
- NVD status
- Analyzed
- Products
- http_server
CVSS 3.1
- Type
- Secondary
- Base score
- 8.8
- Impact score
- 5.9
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
- security@apache.org
- CWE-415
- Hype score
- Not currently trending
60% · CVE-2026-23918 · 2.4.67 → 2.4.17 Apache Software Foundation shipped Apache HTTP Server 2.4.67 on May 4, 2026 to address five security vulnerabilities.
@lyrie_ai
13 Jun 2026
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CVE-2026-23918 · 2.4.66 → 2.4.67 The Scoreboard Trap: CVE-2026-23918 Apache HTTP/2 Double-Free Now Has a Working RCE PoC
@lyrie_ai
4 Jun 2026
36 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE. https://t.co/TSJZOPPWHG
@KlinkWow769
17 May 2026
34 Impressions
0 Retweets
1 Like
0 Bookmarks
1 Reply
0 Quotes
CVE-2026-34486: PoCs for Apache Tomcat Unauth RCE (CVE-2026-34486) and Apache httpd Pre-auth RCE (CVE-2026-23918) are now public on our Github. Tomcat exploit is fully reliable. httpd chain works in a controlled lab setup with a known info leak.
@lyrie_ai
12 May 2026
62 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
#exploit 1⃣ CVE-2026-31431: Code exec into containers sharing the same image layer https://t.co/1WHHD88uAH 2⃣ CVE-2025-68670: RCE in the xrdp server https://t.co/X8AYExy9VJ 3⃣ CVE-2026-23918: Apache mod_http2 vulnerability https://t.co/pBdyEHb0GL // Disclaimer
@ksg93rd
11 May 2026
390 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache HTTP Serverに遠隔コード実行の脆弱性。CVE-2026-23918はCVSSスコア8.8の二重解放。HTTP/2実装の"early stream reset"シーケンスにおけるもの。2025/12/10報告、12/11修正コミット、2026/5/4公式修正リリース。 https://t.co/wQGy0z5
@__kokumoto
6 May 2026
1247 Impressions
2 Retweets
9 Likes
3 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:http_server:2.4.66:*:*:*:*:*:*:*",
"matchCriteriaId": "3F48B216-98B0-4261-8E74-3BCC6F37CD8C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]