Apache httpd flaw CVE-2026-23918 allows DoS, possible RCE
Apache released httpd 2.4.67 to fix CVE-2026-23918, a double-free in mod_http2 that can cause denial-of-service and, on systems using APR mmap, possible remote code execution.
The Apache Software Foundation released httpd 2.4.67 to address CVE-2026-23918, a double-free bug in the HTTP/2 module mod_http2 present in 2.4.66. The flaw can cause denial-of-service and, on systems where the Apache Portable Runtime uses the mmap allocator, may enable remote code execution.
Researchers Bartlomiej Dmitruk and Stanislaw Strzalkowski reported the bug. The error occurs in the HTTP/2 multiplexer cleanup path when a client sends a HEADERS frame immediately followed by RST_STREAM with a non-zero error code before the multiplexer has registered the stream. Two nghttp2 callbacks then run in sequence and push the same h2_stream pointer onto a cleanup array twice. A later pass that destroys pooled resources calls apr_pool_destroy on the same memory address twice, producing a double free.
Dmitruk described two practical outcomes: “The first is denial-of-service, which is trivial: one TCP connection, two frames, no authentication, no special headers, no specific URL, and the worker crashes.” He continued, “The second outcome is remote code execution, and we built a working proof of concept on x86_64.”
The remote code execution path depends on the APR mmap allocator, which is the default on many Debian-derived distributions and in the official httpd Docker image. An attacker can sometimes place a fake h2_stream structure at a freed address by relying on mmap reuse, set its pool cleanup function pointer to system(), and use Apache’s scoreboard memory as a stable container for fake structures and the command string. The scoreboard sits at a fixed address for the server’s lifetime, which reduces the effect of address space layout randomization. Practical exploitation requires an information leak to reveal the location of system() and scoreboard offsets, and the heap-spray technique is probabilistic; in lab tests execution occurred in minutes. The prefork MPM is not affected.
Apache identifies httpd 2.4.66 as vulnerable and addressed the issue in httpd 2.4.67. The vulnerability carries a CVSS score of 8.8 and is tracked as CVE-2026-23918. The mod_http2 module ships in default httpd builds and HTTP/2 is widely enabled in production, increasing the potential attack surface. Administrators running 2.4.66 with mod_http2 enabled, particularly on systems using APR mmap, should plan updates to 2.4.67 to mitigate both service disruption and the more complex remote code execution scenario.
