Apache HTTP Server mod_http2 double free and possible RCE (CVE-2026-23918)
Vulnerability
Summary
Hide ▲
Show ▼
Apache HTTP Server 2.4.66's mod_http2 now has a fixed double free vulnerability, CVE-2026-23918, that can cause DoS and possible remote code execution. Apache addressed the flaw in 2.4.67, and the reported RCE path depends on an APR mmap allocator setup. The issue is significant because a working proof of concept exists and default deployments with mod_http2 and a multi-threaded MPM are exposed.
Related Happenings
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation Wave
First: 17.05.2026 14:57
Last: 17.05.2026 14:57
Sources 1
About this happening:
**openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation WaveAbout this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
CISA Apache ActiveMQ CVE-2026-34197 mitigation order
Advisory/Mitigation
First: 21.04.2026 14:17
Last: 21.04.2026 14:17
Sources 1
About this happening:
**CISA** ordered **FCEB agencies** to secure **Apache ActiveMQ** servers by **April 30** after **CVE-2026-34197** was confirmed **actively exploited**. The flaw can allow **arbitr...
CISA Apache ActiveMQ CVE-2026-34197 mitigation order
Advisory/MitigationAbout this happening: **CISA** ordered **FCEB agencies** to secure **Apache ActiveMQ** servers by **April 30** after **CVE-2026-34197** was confirmed **actively exploited**. The flaw can allow **arbitr...
Timeline
-
05.05.2026 19:19 2 articles · 22d ago
Apache HTTP Server CVE-2026-23918 disclosure and fix
Initial DisclosureThe Apache Software Foundation released security updates for Apache HTTP Server 2.4.66 to address CVE-2026-23918, a double free in HTTP/2 handling within mod_http2 that can lead to denial-of-service and possible remote code execution; the flaw was fixed in Apache HTTP Server 2.4.67, and Bartlomiej Dmitruk and Stanislaw Strzalkowski were credited with discovering and reporting it. The reported RCE path depends on Apache Portable Runtime mmap allocator behavior, while default deployments with mod_http2 and a multi-threaded MPM are exposed to the crash condition.
Show sources
- Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE — thehackernews.com — 05.05.2026 19:19
- Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE — thehackernews.com — 05.05.2026 19:19