CybersecurityVulnerability Management

Apache HTTP Server Flaw Enables DoS and Potential RCE Attacks

Analyst 207||Source: TheHackerNews
Rows of computer servers and networking equipment in a brightly-lit server room with a subtle hint of a web server…

"The severity of CVE-2026-23918 is critical, as it can be exploited to achieve denial-of-service (DoS) and RCE," Bartlomiej Dmitruk told The Hacker News via email.

CVE-2026-23918: a double-free in mod_http2

The Apache Software Foundation has released updates to address CVE-2026-23918, a high-severity flaw in Apache HTTP Server's HTTP/2 handling that carries a CVSS score of 8.8. The bug is a double-free in Apache httpd 2.4.66's mod_http2 implementation, specifically in the stream cleanup path within h2_mplx.c. The issue was fixed in Apache HTTP Server version 2.4.67.

How the vulnerability is triggered inside the server

The error occurs when a client sends an HTTP/2 HEADERS frame immediately followed by RST_STREAM with a non-zero error code on the same stream, before the multiplexer has registered the stream. Two nghttp2 callbacks then fire in sequence — on_frame_recv_cb for the RST and on_stream_close_cb for the close — and both call h2_mplx_c1_client_rst -> m_stream_cleanup. That sequence pushes the same h2_stream pointer onto the spurge cleanup array twice. Later, when c1_purge_streams iterates spurge and calls h2_stream_destroy -> apr_pool_destroy for each entry, the second call hits memory that has already been freed, producing the double-free.

Two exploit outcomes: trivial DoS and a practical RCE path in lab conditions

Dmitruk described two distinct outcomes from exploiting the double-free. The denial-of-service outcome is straightforward: one TCP connection and two frames are sufficient, with no authentication, special headers, or specific URL required. The exploit crashes a worker in any default deployment with mod_http2 and a multi-threaded MPM; Apache will respawn the worker, but every request that would have been handled by the crashed worker is dropped and the pattern can be sustained as long as the attacker continues sending the frames.

The remote code execution path is more complex but demonstrably practical in controlled conditions. Dmitruk and co-researcher Stanislaw Strzalkowski (ISEC.pl) produced a working proof-of-concept on x86_64. The RCE chain, as described, places a fake h2_stream structure at the freed virtual address via mmap reuse, sets its pool cleanup function to system(), and uses Apache's scoreboard memory as a stable container for the fake structures and the command string. The scoreboard's fixed address for the lifetime of the server — persisting even with ASLR — makes the RCE path practicable. Dmitruk notes the usual caveats: exploitation requires an information leak for the address of system() and scoreboard offsets, and the heap-spray step is probabilistic. Still, in laboratory conditions the exploit can attain execution within minutes.

Affected builds, runtime constraints, and mitigation status

  • Affected: Apache HTTP Server 2.4.66 (mod_http2).
  • Fixed: Apache HTTP Server 2.4.67.
  • Runtime factors: the RCE path requires an Apache Portable Runtime (APR) built with the mmap allocator. That allocator is the default on Debian-derived systems and on the official httpd Docker image.
  • MPM prefork: Dmitruk reported that MPM prefork is not affected by this flaw; the DoS is effective against multi-threaded MPMs.
  • Attack surface: mod_http2 ships in default builds and, as noted by the reporter, HTTP/2 is widely enabled in production deployments, increasing the potential exposure.

What this means for technologists, Debian-derived and Docker operators, and enterprise teams

  • Technologists and security teams — Apply the 2.4.67 update to any servers running Apache HTTP Server 2.4.66 with mod_http2 enabled, and consider the MPM in use: multi-threaded MPMs are susceptible to the trivial DoS path, while prefork is not.
  • Debian-derived system and official httpd Docker image operators — Because the APR mmap allocator is the default in these environments, operators should prioritize patching: the mmap requirement makes the RCE path practicable on those platforms under lab conditions.
  • Enterprise and procurement leaders — Note that mod_http2 ships in default builds and HTTP/2 is commonly enabled; inventories and deployment standards should verify which servers run 2.4.66 and with what APR allocator, and schedule urgent updates where necessary.

Attribution, public disclosure, and final observation

The vulnerability was discovered and reported by Bartlomiej Dmitruk (Striga.ai co-founder) and Stanislaw Strzalkowski (ISEC.pl). Apache has issued updates to remediate the flaw in version 2.4.67. Dmitruk emphasized the severity and ease of achieving denial-of-service, and demonstrated an RCE proof-of-concept under laboratory conditions on x86_64, while acknowledging practical constraints such as the need for an information leak and probabilistic heap spraying.

The combination of a trivial DoS vector and a feasible RCE chain on common platform defaults — Debian-derived systems and the official httpd Docker image — makes timely patching the clear immediate priority for affected operators. The remainder is a practical question: how rapidly administrators can replace vulnerable 2.4.66 instances with 2.4.67 in environments where mod_http2 and multi-threaded MPMs are the norm.

Original reporting: The Hacker News — Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE

Emerging ThreatsRemote Code ExecutionVulnerability ManagementDenial Of ServiceApache HTTP ServerCVE-2026-23918HTTP/2Mod_http2
Related Intelligence

Continue Reading

Close-up of a smartphone's circuit board with blurred background, components out of focus.

BootROM Exploit Targets Millions of iPhones

Millions of iPhones are vulnerable to a newly discovered BootROM exploit, known as "usbliter8", that can't be fixed with software updates because it's embedded in the device's hardware. This means iPhones with A12 and A13 processors will be at risk for the rest of their lifespan.

Analyst 207
Blurred laptop screen on office table surrounded by coworkers.

AI Agents Emerge as Unchecked Identities in Enterprise Security

The equation for enterprise security is no longer simple: with AI agents now connected to critical business services, controlling identities is no longer enough to control risk. These emerging insiders have quietly become privileged - and potentially invisible - attack paths that security and identity programs must urgently address.

Analyst 207
Security analysts work at computer workstations and a large wall screen in a brightly-lit operations center.

AI Shifts Threat Management from Reactive to Proactive Stance

With a sprawling security stack of 40+ tools, enterprise teams are drowning in overlapping alerts and manual handoffs, leaving gaping holes for adversaries to exploit. This disjointed approach leaves teams scrambling to respond to threats, with attackers enjoying a lengthy 43-day window to wreak havoc.

Analyst 207
Windows desktop with Recycle Bin open, showing a file and a confirmation dialog with a partially obscured filename.

Microsoft Updates Trigger Recycle Bin Filename Glitch

Microsoft just revealed a frustrating glitch in the Recycle Bin that displays a confusing filename when you permanently delete an item, showing a cryptic code instead of the file's original name. Luckily, the issue only affects the deletion confirmation dialog and doesn't change the file's name in the Recycle Bin or when it's restored.

Analyst 207