AI description
CVE-2026-23918 is a double-free vulnerability found in Apache HTTP Server's `mod_http2` module, specifically within the HTTP/2 protocol handling. This flaw affects Apache HTTP Server version 2.4.66. The vulnerability is triggered when a client sends an HTTP/2 HEADERS frame immediately followed by an RST_STREAM frame with a non-zero error code on the same stream, before the stream has been fully registered by the multiplexer. This sequence causes the `h2_stream` pointer to be pushed onto a cleanup array twice, leading to a double-free when `c1_purge_streams` attempts to destroy the stream and its associated memory pool a second time. Exploitation of this vulnerability can lead to a denial-of-service condition, where the Apache worker crashes, dropping requests. Additionally, it can potentially enable remote code execution by manipulating the freed memory to place a fake `h2_stream` structure and execute arbitrary commands. The issue has been addressed in Apache HTTP Server version 2.4.67, and users of affected versions are recommended to upgrade.
- Description
- Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
- Source
- security@apache.org
- NVD status
- Analyzed
- Products
- http_server
CVSS 3.1
- Type
- Secondary
- Base score
- 8.8
- Impact score
- 5.9
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
- security@apache.org
- CWE-415
- Hype score
- Not currently trending
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:http_server:2.4.66:*:*:*:*:*:*:*",
"matchCriteriaId": "3F48B216-98B0-4261-8E74-3BCC6F37CD8C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]