The Apache Software Foundation (ASF) has released security updates to address multiple security vulnerabilities in the HTTP Server, including a critical vulnerability that could potentially lead to remote code execution (RCE).
The vulnerability, tracked as CVE-2026-23918 (CVSS score: 8.8), is described as a case of “double free and possible RCE” in HTTP/2 protocol handling. This issue affects Apache HTTP Server 2.4.66 and is addressed in version 2.4.67.
Striga.ai co-founder Bartlomiej Dmytruk and ISEC.pl researcher Stanisław Strzalkowski have been credited with discovering and reporting the vulnerability.
When contacted for comment, Dmitruk told The Hacker News via email that the severity of CVE-2026-23918 is significant, as it can be used to achieve denial of service (DoS) and RCE. Additional details of the vulnerability are below –
CVE-2026-23918 Apache httpd 2.4.66 has a double-free in mod_http2, specifically in the stream cleanup path of h2_mplx.c. The bug is triggered when a client sends an HTTP/2 HEADERS frame immediately followed by a RST_STREAM with a non-zero error code on the same stream, before the stream is registered by the multiplexer.
Two nghttp2 callbacks are then fired in sequence, on_frame_recv_cb for RST and on_stream_close_cb for close, and both finally call h2_mplx_c1_client_rst -> m_stream_cleanup, which pushes the same h2_stream pointer to the spurge cleanup array twice. When c1_purge_streams later iterates the purge and calls h2_stream_destroy -> apr_pool_destroy on each entry, the second call hits memory that has already been freed.
DoS is trivial and works on any default deployment with mod_http2 and multi-threaded MPM, Dmitruk said, while the RCE path requires Apache Portable Runtime (APR) with the mmap allocator, which is the default on Debian-derived systems and the official httpd Docker image. Dmitruk further said –
The first is denial-of-service, which is trivial: one TCP connection, two frames, no authentication, no special headers, no specific URL, and the worker crashes. Apache reproduces this, but each request on the crashed worker is deleted, and this pattern can persist as long as the attacker keeps sending.
The second result is remote code execution, and we have created a working proof of concept on x86_64. The chain places a fake h2_stream structure on a virtual address freed through mmap reuse, points its pool cleanup function to system(), and uses Apache’s scoreboard memory as a static container for the fake structures and command strings.
Even with ASLR, the scoreboard sits at a fixed address for the lifetime of the server, which makes the RCE path practical. The usual caveats apply: practical exploitation requires information leaks to system() and scoreboard offsets, and stack spray is probable, but in laboratory conditions execution is completed in minutes.
Dmitruk also pointed out that MPM is not affected by the prefork flaw. However, the researcher cautioned that the attack surface is large because mod_http2 ships in the default build and HTTP/2 is widely enabled in production deployments. Given the severity of the flaw, users are advised to apply the latest fixes for optimal security.
