May 6, 2026
SUMMARY
A critical double-free vulnerability in Apache HTTP Server's HTTP/2 module is vulnerable to unauthenticated Remote Code Execution (RCE) and Denial of Service (DoS) attacks. [1]
IMPACT
Attackers can potentially execute arbitrary code remotely by exploiting this vulnerability or conduct Denial of Service attacks by continually crashing Apache worker processes. .
WHAT IS VULNERABLE
- Debian-derived Linux systems running Apache 2.4.66
- Default httpd Docker images running Apache 2.4.66
- The RCE flaw affects any other Apache 2.4.66 deployment configured with Apache Portable Runtime (APR) with the mmap allocator [3]
- The DoS flaw affects any Apache 2.4.66 deployment with mod_http2 and a multi-threaded MPM [4]
RECOMMENDATIONS
- Upgrade to Apache 2.4.67 immediately.
- Patches are available for Debian-derived systems. [5]
- If you are unable to patch immediately, you can temporarily mitigate this vulnerability by disabling HTTP/2 in your Apache configuration.
REFERENCES
[1] https://thehackernews.com/2026/05/critical-apache-http2-flaw-cve-2026.ht...
[2] https://www.cve.org/CVERecord?id=CVE-2026-23918
[4] https://httpd.apache.org/docs/2.4/mpm.html
[5] https://security-tracker.debian.org/tracker/CVE-2026-23918