Advisories 7 May 2026 / 0 Comments

Apache HTTP Server HTTP/2 Double-Free Vulnerability Enabling DoS and RCE (CVE-2026-23918)

Scope: Apache HTTP Server 2.4.66 (mod_http2 with multi-threaded MPM)

Severity: Red

A critical double-free memory corruption flaw (CVSS 8.8) in Apache HTTP Server 2.4.66's HTTP/2 implementation allows unauthenticated remote attackers to crash worker processes with a single TCP connection and two HTTP/2 frames, and under certain configurations — particularly Debian-derived systems and official Docker images using APR with mmap — can lead to remote code execution. The vulnerability is triggered via a crafted early stream reset frame that causes the same memory region to be freed twice, corrupting the heap. Organizations should upgrade immediately to Apache HTTP Server 2.4.67, which resolves this and ten additional CVEs; where immediate patching is not feasible, disabling HTTP/2 removes the attack surface for this specific flaw.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.

Apache HTTP Server HTTP/2 Double-Free Vulnerability Enabling DoS and RCE (CVE-2026-23918)

DAEMON Tools Supply Chain Attack – Official Installers Trojanized Since April 8, 2026

Recent Advisories

Categories

Contact info

Useful Links

Subscribe to our Mailing List

Apache HTTP Server HTTP/2 Double-Free Vulnerability Enabling DoS and RCE (CVE-2026-23918)

RELATED ADVISORIES

DAEMON Tools Supply Chain Attack – Official Installers Trojanized Since April 8, 2026

Recent Advisories

Categories