The Apache Software program Basis (ASF) has launched security updates to handle a number of security vulnerabilities within the HTTP Server, together with a extreme vulnerability that might doubtlessly result in distant code execution (RCE).
The vulnerability, tracked as CVE-2026-23918 (CVSS rating: 8.8), has been described as a case of “double free and doable RCE” within the HTTP/2 protocol dealing with. This situation impacts Apache HTTP Server 2.4.66 and has been addressed in model 2.4.67.
Striga.ai co-founder Bartlomiej Dmitruk and ISEC.pl researcher Stanislaw Strzalkowski have been credited with discovering and reporting the vulnerability.
When reached for remark, Dmitruk instructed The Hacker Information through e mail that the severity of CVE-2026-23918 is vital, as it may be exploited to attain denial-of-service (DoS) and RCE. Further particulars of the vulnerability are under –
CVE-2026-23918 is a double-free in Apache httpd 2.4.66 mod_http2, particularly within the stream cleanup path of h2_mplx.c. The bug triggers when a consumer sends an HTTP/2 HEADERS body instantly adopted by RST_STREAM with a non-zero error code on the identical stream, earlier than the multiplexer has registered the stream.
Two nghttp2 callbacks then fireplace in sequence, on_frame_recv_cb for the RST and on_stream_close_cb for the shut, and each find yourself calling h2_mplx_c1_client_rst -> m_stream_cleanup, which pushes the identical h2_stream pointer onto the spurge cleanup array twice. When c1_purge_streams later iterates spurge and calls h2_stream_destroy -> apr_pool_destroy on every entry, the second name hits reminiscence that has already been freed.
The DoS, Dmitruk added, is trivial and works on any default deployment with mod_http2 and a multi-threaded MPM, whereas the RCE path requires an Apache Moveable Runtime (APR) with the mmap allocator, which is the default on Debian-derived programs and on the official httpd Docker picture. Dmitruk additional defined –
The primary is denial-of-service, which is trivial: one TCP connection, two frames, no authentication, no particular headers, no particular URL, and the employee crashes. Apache respawns it, however each request on the crashed employee is dropped, and the sample might be sustained so long as the attacker retains sending.
The second final result is distant code execution, and we constructed a working proof of idea on x86_64. The chain locations a pretend h2_stream struct on the freed digital deal with through mmap reuse, factors its pool cleanup operate to system(), and makes use of Apache’s scoreboard reminiscence as a secure container for the pretend buildings and the command string.
The scoreboard sits at a set deal with for the lifetime of the server, even with ASLR, which is what makes the RCE path sensible. The same old caveats apply: sensible exploitation requires an information leak for system() and the scoreboard offsets, and the heap spray is probabilistic, however in lab situations execution lands in minutes.
Dmitruk additionally identified that the MPM prefork shouldn’t be affected by the flaw. Nevertheless, the researcher cautioned that the assault floor is massive as mod_http2 ships in default builds and HTTP/2 is extensively enabled in manufacturing deployments. In gentle of the severity of the flaw, customers are suggested to use the newest fixes for optimum safety.
