THE Apache Software Foundation has released security updates for HTTP Server addressing CVE-2026-23918, a vulnerability described as a “double free and possible RCE” in HTTP/2 handling with a CVSS of 8.8. The flaw affects Apache HTTP Server 2.4.66 and is fixed in version 2.4.67, with the Striga[.]ai co‑founder Bartlomiej Dmitruk and ISEC[.]pl researcher Stanislaw Strzalkowski credited for discovering and reporting it.
According to The Hacker News, the DoS impact is trivial on any default deployment with mod_http2 and a multi‑threaded MPM, while remote code execution requires an Apache Portable Runtime with the mmap allocator, which is the default on Debian‑derived systems and on the official httpd Docker image.
The vulnerability stems from a double‑free in the stream cleanup path of h2_mplx.c, triggered when a client sends an HTTP/2 HEADERS frame followed by a non‑zero RST_STREAM on the same stream before the multiplexer registers the stream. Patch guidance emphasises applying the latest fixes to mitigate both the denial‑of‑service and potential RCE pathways.