Apache HTTP/2 Double-Free Enables DoS and RCE

A critical double-free vulnerability in Apache HTTP Server's HTTP/2 implementation allows attackers to crash web servers trivially or, under specific conditions, execute arbitrary code remotely. CVE-2026-23918 affects version 2.4.66 and carries a CVSS score of 8.8.

The Apache Software Foundation has released version 2.4.67 to address the flaw. Given that Apache powers roughly a quarter of all websites globally, the impact potential is substantial. This follows a busy week for web infrastructure patches—Drupal also issued a highly critical security release just days ago.

How the Attack Works

The vulnerability lives in mod_http2's stream cleanup logic within h2_mplx.c. When a client sends an HTTP/2 HEADERS frame immediately followed by RST_STREAM with a non-zero error code—before the multiplexer registers the stream—two nghttp2 callbacks execute sequentially. Both invoke m_stream_cleanup, pushing the same h2_stream pointer onto the cleanup array twice.

When c1_purge_streams later iterates through that array and calls h2_stream_destroy, the second call operates on already-freed memory. The result is a classic double-free condition.

Denial of Service: Trivial to Exploit

The DoS path requires minimal effort. One TCP connection. Two HTTP/2 frames. No authentication. No special headers. No specific URL path needed. The worker process handling the connection crashes on any default deployment running mod_http2 with a multi-threaded MPM (Multi-Processing Module).

Apache respawns crashed workers, but every in-flight request on that worker is dropped. An attacker can sustain the pattern indefinitely, degrading service availability for legitimate users. The attack leaves no distinguishing signature beyond malformed HTTP/2 traffic patterns.

Remote Code Execution: Harder but Achievable

The RCE path is more complex but researchers have demonstrated working proof-of-concept code on x86_64 systems. Successful exploitation requires the target to use Apache Portable Runtime (APR) with its mmap allocator—the default configuration on Debian-based systems and the official httpd Docker images.

The attack chain places a fake h2_stream structure at the freed virtual address through controlled mmap reuse. This fake structure points its pool cleanup function to system() and uses Apache's scoreboard memory as a stable container for the payload. When the cleanup routine fires, the attacker's command executes.

This isn't script-kiddie territory. But motivated attackers with time to develop stable exploits will find the primitives sufficient.

Why This Matters

Apache HTTP Server remains foundational infrastructure. While nginx has gained market share, Apache still powers critical workloads across enterprises, governments, and hosting providers. HTTP/2 adoption continues growing as organizations chase performance benefits.

Memory corruption vulnerabilities in web servers create outsized risk because these systems handle untrusted input by design. We've seen similar patterns recently—the nginx Poolslip zero-day demonstrated how HTTP/2 complexity creates new attack surface even in mature codebases.

The double-free primitive in CVE-2026-23918 is particularly concerning because it's deterministic. Unlike use-after-free bugs that require precise timing, this flaw triggers reliably through normal protocol handling.

Affected Configurations

Apache HTTP Server 2.4.66 with mod_http2 enabled is vulnerable. Systems running MPM prefork are not affected because the single-process architecture doesn't exhibit the race condition necessary to trigger the bug.

Most production deployments use MPM event or MPM worker for performance reasons, making them vulnerable by default if HTTP/2 is enabled.

Recommended Mitigations

1. Upgrade to Apache 2.4.67 as the primary remediation path
2. Disable HTTP/2 temporarily by removing Protocols h2 h2c directives if immediate patching isn't possible
3. Monitor for exploitation by watching for patterns of worker crashes correlating with specific client connections
4. Audit mod_http2 configuration to ensure it's only enabled where actually needed

For containerized deployments, pulling the latest official httpd image should include the fix. Verify the version number before trusting automated updates.

Organizations running Apache behind reverse proxies or load balancers that terminate HTTP/2 before reaching Apache backends may have reduced exposure. But this assumes the proxy itself isn't similarly vulnerable—defense in depth suggests patching anyway.

The Apache security team credited the vulnerability discovery to the project's continuous fuzzing infrastructure, which caught the bug before any known exploitation occurred. For broader context on how vulnerabilities are exploited, see our hacking news coverage tracking the latest threats.