Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE

2026-05-05

1 min read

by info@thehackernews.com (The Hacker News)

Read Original

Get the latest tech trends every morning

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Endigest AI Core Summary

Apache HTTP Server 2.4.66 contains a critical double-free vulnerability in mod_http2 that enables both denial-of-service and remote code execution attacks.

•CVE-2026-23918 occurs when HTTP/2 HEADERS frame is followed by RST_STREAM with a non-zero error code, causing the same h2_stream pointer to be cleaned up twice
•DoS attack is trivial requiring only one TCP connection and two frames without authentication, causing worker process crashes
•RCE exploitation is practical on systems with APR mmap allocator (default on Debian and official httpd Docker image), using fake h2_stream structures and scoreboard memory manipulation
•Fixed in Apache HTTP Server version 2.4.67
•Attack surface is large as mod_http2 ships in default builds and HTTP/2 is widely enabled in production

Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE

Get the latest tech trends every morning

Endigest AI Core Summary

Related Articles

Building a safe, effective sandbox to enable Codex on Windows

Mitigate credential exposure in Windows environments with Boundary and Vault

Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation

[Webinar] Why Your AppSec Tools Miss the "Lethal Path" (and How to Fix It)