Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Possible RCE
The Apache Software Foundation (ASF) has released security updates to address several security vulnerabilities in HTTP Server, including a critical vulnerability that could lead to remote code execution (RCE).
The vulnerability, tracked as CVE-2026-23918 (CVSS score: 8.8), is described as a “double and probable RCE” issue in the handling of the HTTP/2 protocol. This issue affects Apache HTTP Server 2.4.66 and has been addressed in version 2.4.67.
Striga.ai founder Bartlomiej Dmitruk and ISEC.pl researcher Stanislaw Strzalkowski were given credit for discovering and reporting the vulnerability.
When reached for comment, Dmitruk told Hacker News via email that the severity of CVE-2026-23918 is critical, as it can be used to achieve denial-of-service (DoS) and RCE. More vulnerability details are below –
CVE-2026-23918 is a double-free in Apache httpd 2.4.66 mod_http2, specifically in the stream cleanup method of h2_mplx.c. The bug starts when the client sends an HTTP/2 HEADERS frame immediately followed by an RST_STREAM with a non-zero error code in the same stream, before the multiplexer registers the stream.
The two nghttp2 callbacks then fire in sequence, on_frame_recv_cb for RST and on_stream_close_cb for closing, and both end up calling h2_mplx_c1_client_rst -> m_stream_cleanup, pushing the same h2_stream pointer to the cleanup process twice. When c1_purge_streams later repeats the purge and calls h2_stream_destroy -> apr_pool_destroy on each entry, the second call hits the already freed memory.
DoS, added by Dmitruk, is small and works on any default deployment with mod_http2 and multi-threaded MPM, while the RCE method requires Apache Portable Runtime (APR) with mmap allocator, which is default on Debian-based systems and on the official httpd Docker image. Dmitruk also explained –
The first is denial of service, which is trivial: one TCP connection, two frames, no authentication, no special headers, no specific URL, and crash. Apache restarts, but all requests to the crashed worker are stopped, and the pattern can be maintained as long as the attacker continues to send.
The second result is to code the remote control, and build a working proof of concept on x86_64. The chain places a dummy h2_stream structure at a virtual address freed by mmap reuse, points its pool cleanup function to system(), and uses Apache’s scoreboard memory as a stable container for dummy structures and command strings.
The scoreboard stays at a fixed address for the lifetime of the server, even with ASLR, which is what makes the RCE method work. The usual caveats apply: a practical exploit requires a system() info leak and scoreboard removal, and a heap spray is possible, but in lab conditions the performance runs in minutes.
Dmitruk also pointed out that the MPM prefork is not affected by the error. However, the researcher cautioned that the attack surface is as large as the default mod_http2 ships and HTTP/2 is widely enabled in production deployments. Due to the severity of the bug, users are advised to apply the latest fix for full protection.
