Executive Summary
A critical vulnerability, CVE-2026-23918, has been identified in the Apache HTTP Server’s HTTP/2 protocol implementation (mod_http2), specifically affecting version 2.4.66. This flaw, classified as a double-free memory corruption bug, can be trivially exploited to cause Denial-of-Service (DoS) and, under certain conditions, enables Remote Code Execution (RCE). The vulnerability is rated with a CVSS score of 8.8, reflecting its high impact and ease of exploitation. The issue is resolved in Apache HTTP Server 2.4.67. Exploitation has been confirmed in the wild, and a working RCE proof-of-concept has been demonstrated by security researchers. Organizations running affected versions with mod_http2 enabled are at immediate risk and should prioritize remediation.
Technical Information
CVE-2026-23918 is a double-free vulnerability in the mod_http2 module of Apache HTTP Server 2.4.66. The flaw resides in the handling of HTTP/2 streams within the h2_mplx.c source file. When a client sends an HTTP/2 HEADERS frame immediately followed by a RST_STREAM frame (with a non-zero error code) on the same stream, and this occurs before the multiplexer has registered the stream, two separate callbacks in the nghttp2 library (on_frame_recv_cb for RST and on_stream_close_cb for close) both invoke the h2_mplx_c1_client_rst function, which in turn calls m_stream_cleanup. This results in the same h2_stream pointer being pushed onto the cleanup array twice. When the cleanup routine executes, it attempts to free the same memory region twice, leading to a double-free condition.
The immediate impact is a crash of the worker process, which Apache will respawn, but this can be repeated indefinitely, resulting in a sustained DoS condition. The attack requires only a single TCP connection and two HTTP/2 frames, with no authentication, special headers, or specific URLs required. This makes exploitation trivial and highly accessible to attackers.
The RCE vector is more complex but feasible, particularly on systems using the Apache Portable Runtime (APR) with the mmap allocator, which is the default on Debian-based distributions and official Docker images. In this scenario, an attacker can exploit the double-free to inject a fake h2_stream structure at the freed memory address, redirect the pool cleanup function pointer to system(), and leverage the Apache scoreboard shared memory as a stable container for the payload. Achieving RCE requires an information leak to determine the address of system() and the scoreboard, as well as a heap spray to position the payload correctly. While this is probabilistic, it has been demonstrated as practical in controlled environments.
It is important to note that MPM prefork (the single-threaded Multi-Processing Module) is not affected by this vulnerability, as the bug is only present in multi-threaded MPM configurations.
Exploitation in the Wild
Exploitation of CVE-2026-23918 for DoS has been confirmed in the wild. Attackers are actively leveraging the trivial exploit path to crash Apache worker processes, causing repeated service disruptions. Large-scale internet scans targeting HTTP/2 endpoints have been observed, as reported on social media platforms such as Reddit and in cybersecurity forums. The RCE exploit, while more sophisticated, has been proven viable by the original discoverers, though there is no evidence of widespread public exploitation for RCE at this time. However, given the technical details available and the prevalence of vulnerable configurations, it is highly likely that threat actors will develop and deploy RCE exploits in the near future.
APT Groups using this vulnerability
As of this report, there is no public attribution of CVE-2026-23918 exploitation to specific Advanced Persistent Threat (APT) groups. However, the technical simplicity of the DoS exploit and the high value of RCE make this vulnerability attractive to a broad spectrum of threat actors, including ransomware operators, botnet controllers, and state-sponsored groups. The exploit is well within the capabilities of advanced actors, and it is anticipated that weaponization and adoption by APTs will occur rapidly if it has not already begun.
Affected Product Versions
The affected product is Apache HTTP Server 2.4.66 with mod_http2 enabled and running a multi-threaded MPM (such as event or worker). Systems using the MPM prefork module are not vulnerable. The vulnerability is present in default configurations on many Debian-based distributions and official Docker images, where mod_http2 is enabled by default and the mmap allocator is used. The issue is resolved in Apache HTTP Server 2.4.67 and later. Deployments with mod_http2 disabled or using MPM prefork are not affected.
Workaround and Mitigation
Immediate mitigation is to upgrade to Apache HTTP Server 2.4.67 or later, which contains the official fix for CVE-2026-23918. If upgrading is not immediately possible, disabling mod_http2 will prevent exploitation, as the vulnerable code path is not executed. Alternatively, switching to MPM prefork (the single-threaded processing model) will also mitigate the vulnerability, as the bug does not manifest in this configuration. Organizations should monitor their systems for signs of exploitation, including repeated worker process crashes, unusual HTTP/2 traffic patterns, and log entries indicating double-free or heap corruption errors. Reviewing core dumps and system logs for anomalies related to memory management is also recommended.
References
For further technical details and official advisories, consult the following resources: the NVD CVE-2026-23918 entry, the Apache HTTP Server Security Advisory, The Hacker News coverage, the oss-security mailing list discussion, and the Reddit r/cybersecurity thread.
Rescana is here for you
Rescana is committed to helping organizations manage and mitigate third-party and supply chain cyber risks. Our advanced TPRM platform provides continuous monitoring, automated risk assessment, and actionable intelligence to help you stay ahead of emerging threats. If you have questions about this advisory or require assistance with incident response, please contact us at ops@rescana.com. We are here to support your security operations and ensure your organization’s resilience against evolving cyber threats.
