The Apache Software Foundation (ASF) has released security updates that address several security vulnerabilities in its HTTP server, including a serious vulnerability that could lead to remote code execution (RCE).
The vulnerability is tracked as CVE-2026-23918 (CVSS score: 8.8) and is described as a case of “double free and possible RCE” in HTTP/2 protocol processing. This issue affected Apache HTTP Server 2.4.66 and was resolved in version 2.4.67.
Striga.ai co-founder Bartlomiej Dmitruk and ISEC.pl researcher Stanislaw Strzalkowski are credited with discovering and reporting the vulnerability.
When asked for comment, Dmitruk told The Hacker News via email that CVE-2026-23918 is serious because it can be exploited to cause a denial of service (DoS) or RCE. Details on adding vulnerabilities are below.
CVE-2026-23918 is a double free in the stream cleanup path in Apache httpd 2.4.66 mod_http2, specifically h2_mplx.c. This bug occurs when a client sends a RST_STREAM with a non-zero error code immediately after an HTTP/2 HEADERS frame on the same stream before the multiplexer registers the stream.
Next, two nghttp2 callbacks are fired in sequence: on_frame_recv_cb for RST and on_stream_close_cb for close, both of which ultimately call h2_mplx_c1_client_rst -> m_stream_cleanup and push the same h2_stream pointer into the spurge cleanup array twice. c1_purge_streams then repeats the spurge and calls h2_stream_destroy -> apr_pool_destroy for each entry, the second call hits memory that has already been freed.
Dmitruk added that DoS is easy and works with the default deployment using mod_http2 and multi-threaded MPM. The RCE path, on the other hand, requires Apache Portable Runtime (APR) with the mmap allocator, which is the default on Debian-derived systems and the official httpd Docker image. Dmitruk further explained:
The first is denial of service. This is easy. One TCP connection, two frames, no authentication, no special headers, no specific URL, and the worker crashes. Apache will respawn it, but all requests on the crashed worker will be discarded, and the pattern may persist as long as the attacker keeps sending.
The second outcome was remote code execution, where we built a proof of concept running on x86_64. This chain places a fake h2_stream struct at a virtual address freed by mmap reuse, points its pool cleanup function to system(), and uses Apache’s scoreboard memory as a stable container for the fake struct and command string.
The scoreboard is located at a fixed address for the life of the server, even in ASLR. This makes the RCE path practical. Usual precautions apply. Actual exploitation requires system() and scoreboard offset information leakage. Heap spray is also probabilistic, but runs in a few minutes in a lab environment.
Dmitruk also pointed out that MPM preforks are not affected by flaws. However, researchers warned that the attack surface is large because mod_http2 ships with default builds and HTTP/2 is widely enabled in production environments. Considering the severity of the flaw, we recommend applying the latest fixes for optimal protection.
Source link
