Apache HTTP Server 2.4.67 Patches Critical HTTP/2 Double-Free RCE — CVE-2026-23918 (May 4, 2026)
Apache HTTP Server 2.4.67 ships an emergency patch for CVE-2026-23918, a CVSS 8.8 double-free in mod_http2 that lets a remote attacker crash any default 2.4.66 deployment and, on Debian and official builds, possibly execute code. Admins should upgrade now.
The Apache HTTP Server project on released version 2.4.67, an emergency security update that patches CVE-2026-23918 — a CVSS 8.8 double-free in mod_http2 that lets an unauthenticated remote attacker crash any default 2.4.66 deployment with a single HTTP/2 frame sequence and, under realistic conditions, escalate the bug to remote code execution. The flaw affects only the previous release, 2.4.66, but that release shipped on most major Linux distributions in early 2026, and millions of public-facing servers are likely still running it.
What Happened
Apache shipped 2.4.67 with a single security advisory and 11 bug fixes, the most serious of which is CVE-2026-23918. Maintainer Stefan Eissing posted the disclosure to the oss-security list at , alongside the public source release on httpd.apache.org.
The vulnerability is a double-free in the stream-cleanup path of h2_mplx.c. It triggers when a client sends an HTTP/2 HEADERS frame immediately followed by a RST_STREAM with a non-zero error code on the same stream — before the multiplexer has registered the stream. Both the on_frame_recv_cb and on_stream_close_cb callbacks fire and each ends up calling h2_mplx_c1_client_rst → m_stream_cleanup, pushing the same h2_stream pointer onto the spurge cleanup array twice. When c1_purge_streams later iterates that array, the second h2_stream_destroy operates on memory that was already freed.
The bug was reported privately on by Striga.ai co-founder Bartłomiej Dmitruk and ISEC.pl researcher Stanisław Strzałkowski. Apache committed the fix in revision r1930444 within 24 hours, but held the release for nearly five months to coordinate with downstream distributions and the U.S. National Vulnerability Database.
Key Details
- Affected versions: Only Apache HTTP Server 2.4.66. Versions 2.4.65 and earlier do not contain the vulnerable cleanup path; 2.4.67 ships the patch.
- Trigger: A single HTTP/2
HEADERS+RST_STREAMsequence on a server withmod_http2loaded and any multi-threaded MPM (worker, event). HTTP/2 is enabled by default whenevermod_http2is loaded. - DoS: Trivial and reliable. Any reachable 2.4.66 server with HTTP/2 can be crashed remotely with a few packets and no authentication.
- RCE conditions: The Apache Portable Runtime must use the
mmapallocator — the default on Debian, Ubuntu and the official Apache binary builds. Withmmapreuse, an attacker can place a fakeh2_streamstruct at the freed virtual address, point its pool-cleanup function atsystem(), and use Apache's fixed-address scoreboard memory to bypass ASLR. - CVE record: CVE-2026-23918, CVSS 3.1 base score 8.8 (network, low complexity, no privileges, no user interaction, high impact on C/I/A).
- Mitigation without patching: Disable HTTP/2 by removing
LoadModule http2_moduleor commenting outProtocols h2 h2c http/1.1. Modern reverse proxies in front of Apache can also be configured to refuse client HTTP/2 connections.
What Developers and Sysadmins Are Saying
Reaction across Hacker News and r/sysadmin has been a mix of relief and frustration. The dominant Hacker News comment from tptacek notes that the bug pattern — double-free via early stream reset — is structurally similar to the 2023 HTTP/2 Rapid Reset class of attacks and asks whether the entire HTTP/2 stream lifecycle in mod_http2 needs a hardening review.
On r/sysadmin and oss-security, several operators expressed concern that 2.4.66 was the version cPanel, Plesk and most Debian-stable backports shipped to production in Q1 2026, meaning the exposed surface is unusually large. Researchers at Hadrian have already published a working DoS proof-of-concept; an RCE exploit is reportedly being demonstrated privately, but no public weaponized exploit had surfaced as of .
What This Means for Developers and Operators
If you operate any Apache HTTP Server 2.4.66 instance reachable from the internet, treat this as drop-everything urgent. Upgrade to 2.4.67 today, or disable mod_http2 until you can. Hosting providers, in particular, should audit shared-hosting fleets — one crash on a multi-tenant Apache will take every co-hosted site down with it.
For application teams behind a reverse proxy (Cloudflare, NGINX, HAProxy, AWS ALB), the proxy typically terminates HTTP/2 and re-issues HTTP/1.1 to Apache, which mitigates this specific bug. But that's only true if the proxy is genuinely terminating HTTP/2 — if your edge passes HTTP/2 frames through to origin Apache, you're still exposed.
What's Next
Debian, Ubuntu, Red Hat and Amazon Linux all began shipping 2.4.67 packages on ; cPanel pushed an EasyApache 4 update the same day. Apache has indicated it will publish a longer post-mortem within two weeks describing the December disclosure timeline and what additional mod_http2 hardening is planned. Affected operators can track httpd.apache.org/security/vulnerabilities_24.html for the canonical advisory.
Sources
- oss-security — Stefan Eissing's CVE-2026-23918 disclosure (primary source)
- CVE-2026-23918 record (MITRE)
- The Hacker News — coverage and CVSS context
- Hadrian — technical write-up of the double-free path
- httpd.apache.org — canonical 2.4 vulnerability list
- webhosting.today — impact on shared-hosting fleets
Stay up to date with Doolpa
Subscribe to Newsletter →