- The Apache Software Foundation has patched a severe, actively exploitable remote code execution (RCE) flaw in its widely used HTTP Server software.
- The vulnerability, tracked as CVE-2026-23918 with a CVSS score of 8.8, stems from a “double-free” bug in the HTTP/2 protocol handling module.
- Attackers can trigger a denial-of-service (DoS) on default deployments, while a working RCE exploit exists for systems like Debian and the official httpd Docker image.
- Researchers who discovered the flaw warn the attack surface is large, as HTTP/2 is widely enabled in production, urging immediate updates to version 2.4.67.
A critical vulnerability in the world’s most popular web server software, disclosed on May 5, 2026, has sent security teams scrambling for patches. Researchers from Striga.ai and ISEC.pl discovered and reported a severe flaw in The Apache Software Foundation’s HTTP Server that allows for remote code execution.
The vulnerability, CVE-2026-23918, is a double-free bug within the mod_http2 module. Consequently, it can be triggered by a specific sequence of HTTP/2 frames sent by a client before a stream is fully registered.
Researcher Bartlomiej Dmitruk credited with the find, stated the severity is critical. He explained, “The first is denial-of-service, which is trivial: one TCP connection, two frames, no authentication, no special headers, no specific URL, and the worker crashes.”
Meanwhile, achieving RCE requires an Apache Portable Runtime (APR) with the default mmap allocator. Dmitruk noted they built a working proof-of-concept that leverages the server’s fixed-address scoreboard memory to stage the attack.
However, the researcher cautioned that exploitation in the wild requires an information leak for certain memory addresses. The attack does not affect servers using the MPM prefork module, according to the advisory.
Given the widespread default use of HTTP/2, the potential attack surface for this vulnerability is significant. The foundation has addressed the issue in version 2.4.67, and users are strongly advised to update immediately.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
