Critical Apache HTTP Server Flaw Enables RCE

A critical vulnerability in the world’s most popular web server software, disclosed on May 5, 2026, has sent security teams scrambling for patches. Researchers from Striga.ai and ISEC.pl discovered and reported a severe flaw in The Apache Software Foundation’s HTTP Server that allows for remote code execution.

The vulnerability, CVE-2026-23918, is a double-free bug within the mod_http2 module. Consequently, it can be triggered by a specific sequence of HTTP/2 frames sent by a client before a stream is fully registered.

Researcher Bartlomiej Dmitruk credited with the find, stated the severity is critical. He explained, “The first is denial-of-service, which is trivial: one TCP connection, two frames, no authentication, no special headers, no specific URL, and the worker crashes.”

Meanwhile, achieving RCE requires an Apache Portable Runtime (APR) with the default mmap allocator. Dmitruk noted they built a working proof-of-concept that leverages the server’s fixed-address scoreboard memory to stage the attack.

However, the researcher cautioned that exploitation in the wild requires an information leak for certain memory addresses. The attack does not affect servers using the MPM prefork module, according to the advisory.

Given the widespread default use of HTTP/2, the potential attack surface for this vulnerability is significant. The foundation has addressed the issue in version 2.4.67, and users are strongly advised to update immediately.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• CME to launch Bitcoin Volatility futures June 1
• ChatGPT Upgraded Free for All; Hallucinations Cut in Half
• Ripple CTO warns public not to invest in Ripple stock
• Kaiko: Traders May Have Positioned Ahead of Robinhood Listings
• MetInfo CMS Under Attack via Critical Code Flaw