CVE-2026-23918
Published: 04 May 2026
Description
Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Security SummaryAI
CVE-2026-23918 is a double-free vulnerability in the Apache HTTP Server that can lead to remote code execution (RCE) when processing the HTTP/2 protocol. It affects version 2.4.66 of the Apache HTTP Server. The issue is classified under CWE-415 (Double Free) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for network-based exploitation with low complexity and privileges.
An attacker with low privileges, such as an authenticated user, can exploit this vulnerability over the network without requiring user interaction. Successful exploitation allows arbitrary code execution on the server, resulting in high impacts to confidentiality, integrity, and availability, potentially compromising the entire affected system.
The official Apache HTTP Server security advisory recommends upgrading to version 2.4.67, which addresses the vulnerability. Additional details are available in the Apache vulnerabilities page at https://httpd.apache.org/security/vulnerabilities_24.html and the oss-security mailing list announcement at http://www.openwall.com/lists/oss-security/2026/05/04/19.
Details
- CWE(s)