www.it-connect.fr
Apache Flaw CVE-2026-23918 Can Trigger DoS With Just Two Frames
The Apache Foundation has just released a security update for its HTTP server to address several vulnerabilities. Among them, one flaw deserves special attention because it can allow an attacker to cause a denial of service, or even execute remote code (RCE). Here is what we know about CVE-2026-23918.
A "double free" in the HTTP/2 module
The new security bulletin published on May 4, 2026 by the Apache Foundation contains a long list of patched vulnerabilities. In fact, it references a total of 11 vulnerabilities fixed in the latest version of the Apache HTTP server, including CVE-2026-23918.
This security issue is located in the mod_http2 module, which handles HTTP/2 connections for the Apache HTTP server. While most of the other patched vulnerabilities affect many Apache versions, this one affects only a single specific version: 2.4.66.
Discovered by Bartlomiej Dmitruk (co-founder of Striga.ai) and Stanislaw Strzalkowski (researcher at ISEC.pl), this flaw is based on a "double free" that is triggered during the cleanup process of an HTTP/2 stream. It carries a CVSS score of 8.8 out of 10.
According to information provided by Bartlomiej Dmitruk to The Hacker News, this bug occurs when a client sends an HTTP/2 HEADERS frame immediately followed by an RST_STREAM frame (with a non-zero error code) on the same stream, before the multiplexer has been able to register it. In the end, an operation is duplicated in the cleanup array, so the system tries to destroy a memory area that has already been freed.
There are two main risks associated with this security flaw:
- A denial of service (DoS)
This vulnerability is exploitable on all servers using mod_http2 with a multi-threaded multi-process module (MPM) (note that the prefork MPM is not affected).
"The first is denial of service, which is trivial: one TCP connection, two frames, no authentication, no special headers, no specific URL, and the worker crashes. Apache restarts it, but every request handled by the crashed worker is dropped, and the pattern can be maintained as long as the attacker keeps sending.", the researcher explains.
- Potential remote code execution (RCE)
In some more complex cases, this vulnerability could also allow remote code execution. This requires the use of mmap-based memory allocation through the Apache Portable Runtime (APR). This is said to be the default configuration on Debian-based systems as well as on the official httpd Docker image.
"Standard caveats apply: for a real-world exploit, you need an information leak about the `system()` function and the score array offsets, and the heap spray attack is probabilistic; however, in lab conditions, execution succeeds within a few minutes.", the researcher notes.
How can you protect yourself from CVE-2026-23918?
The mod_http2 module is included in standard Apache builds, and the HTTP/2 protocol is now very widely enabled in production. However, this security flaw affects only one Apache2 web server version: 2.4.66.
CVE-2026-23918, along with 10 other security flaws, has been patched in Apache HTTP Server 2.4.67. It is currently being distributed as a security update, notably on Debian.
