APACHE has released updates to fix multiple vulnerabilities in its HTTP Server, including CVE-2026-23918, a double-free flaw in HTTP/2 that could enable remote code execution. The CVSS score is listed as 8.8, and the issue affects version 2.4.66, with a fix in version 2.4.67.
The vulnerability was discovered by Bartlomiej Dmitruk of striga[.]ai and Stanislaw Strzalkowski of isec[.]pl, and the advisory notes a double free in Apache HTTP Server with the HTTP/2 protocol that could lead to memory corruption and, in some setups, remote code execution. According to TheHackerNews, the flaw can be triggered by a crafted HTTP/2 sequence that causes the same stream to be cleaned up twice, potentially crashing worker processes or enabling RCE in certain configurations. The article also notes that MPM prefork is not affected, though widespread HTTP/2 use increases exposure.