Apache HTTP Server CVE-2026-23918: Double-free in mod_http2 enables DoS and RCE

TL;DR — Apache HTTP Server 2.4.66 contains a double-free vulnerability in the HTTP/2 module (mod_http2) that allows unauthenticated attackers to crash worker processes or achieve remote code execution. The flaw requires no special headers or URLs and is trivial to trigger on multi-threaded deployments. Update to version 2.4.67 immediately.

What happened

The Apache Software Foundation disclosed CVE-2026-23918, a double-free vulnerability in mod_http2 affecting Apache HTTP Server 2.4.66. The flaw was discovered by Bartlomiej Dmitruk (Striga.ai co-founder) and Stanislaw Strzalkowski (ISEC.pl researcher).

The vulnerability resides in the stream cleanup path of h2_mplx.c and is triggered when a client sends an HTTP/2 HEADERS frame immediately followed by RST_STREAM with a non-zero error code on the same stream, before the multiplexer has registered the stream. Two nghttp2 callbacks fire in sequence—on_frame_recv_cb for the RST and on_stream_close_cb for the close—and both invoke h2_mplx_c1_client_rst, which calls m_stream_cleanup. This causes the same h2_stream pointer to be pushed onto the cleanup array twice. When c1_purge_streams later iterates the array and calls h2_stream_destroy on each entry, the second call operates on memory that has already been freed.

The vulnerability has been patched in Apache HTTP Server 2.4.67.

Why it matters

This flaw presents two distinct attack vectors:

Denial-of-service: A single TCP connection and two frames are sufficient to crash a worker process. No authentication, special headers, or specific URLs are required. While Apache respawns crashed workers, all requests on the crashed worker are dropped. An attacker can sustain this pattern indefinitely, resulting in service degradation or outage.

Remote code execution: A proof-of-concept exploit has been demonstrated on x86_64. The chain exploits the double-free to place a fake h2_stream structure at the freed address via mmap reuse, then points the structure's pool cleanup function to system(). Apache's scoreboard memory serves as a stable container for the fake structures and command strings. The scoreboard occupies a fixed address for the server's lifetime even with address space layout randomization (ASLR), making the RCE path practical. According to the researchers, successful exploitation in lab conditions has occurred within minutes, though practical exploitation requires an information leak for system() and scoreboard offsets, and the heap spray is probabilistic.

The attack surface is substantial: mod_http2 ships in default Apache builds, and HTTP/2 is widely enabled in production environments.

Affected systems and CVEs

Apache HTTP Server 2.4.66 with mod_http2
CVE-2026-23918 (CVSS score: 8.8)

Multi-threaded MPMs (worker, event) are affected. The MPM prefork is not affected by this flaw.

RCE-specific risk: Remote code execution is possible on deployments using Apache Portable Runtime (APR) with the mmap allocator. This is the default configuration on Debian-derived systems and the official httpd Docker image.

What to do

Update Apache HTTP Server to version 2.4.67 or later immediately.
Apply all latest security patches from the Apache Software Foundation.
Prioritize systems running multi-threaded MPMs (worker, event) in default configurations, especially those based on Debian or running the official Docker image.
Review and restrict HTTP/2 ingress if operationally feasible while patches are deployed.

Open questions

The exact date of vulnerability discovery or patch release is not specified in the advisory.
It is unclear whether Apache HTTP Server versions other than 2.4.66 are affected.
The advisory does not detail the specific technical requirements for obtaining an information leak to determine system() and scoreboard offsets in real-world scenarios.
The probability and timeline for successful heap spray exploitation in production environments under non-lab conditions remain unspecified.