The Apache Software Foundation has released a critical security update for Apache HTTP Server, patching five vulnerabilities, including a dangerous double-free flaw capable of enabling Remote Code Execution (RCE) in version 2.4.67, released on May 4, 2026. All users running version 2.4.66 or earlier are strongly urged to upgrade immediately.
The most severe of the five vulnerabilities is CVE-2026-23918, rated High with a CVSS base score of 8.8.
The flaw is a double-free memory corruption bug triggered within Apache’s HTTP/2 protocol implementation during an “early stream reset” sequence.
A double-free vulnerability occurs when a program attempts to release the same memory region twice, corrupting heap memory structures and potentially enabling an attacker to redirect execution flow in this case, opening the door to Remote Code Execution.
The vulnerability exclusively affects Apache HTTP Server version 2.4.66 and was first reported to the Apache security team on December 10, 2025, by Bartlomiej Dmitruk of striga.ai and Stanislaw Strzalkowski of isec.pl.
A fix was committed in revision r1930444 the very next day, December 11, 2025, with the public patch shipped in the 2.4.67 release on May 4, 2026.
A second flaw, CVE-2026-24072, is rated Moderate and targets mod_rewrite‘s use of ap_expr expression evaluation.
The vulnerability allows local .htaccess authors to read arbitrary files with the privileges of the httpd user, effectively enabling an escalation of privileges beyond their intended access level.
This bug affects Apache HTTP Server 2.4.66 and earlier and was reported on January 20, 2026, by researcher y7syeu.
Three further lower-severity flaws were also addressed in the same 2.4.67 update:
mod_proxy_ajp via ajp_msg_check_header(). If mod_proxy_ajp connects to a malicious AJP server, that server can send a crafted AJP message causing the module to write 4 attacker-controlled bytes beyond the end of a heap buffer. Reported independently by four researchers between February and March 2026.mod_md‘s OCSP response handler. Attackers could exploit this to exhaust server resources via oversized OCSP response data. Affects versions 2.4.30 through 2.4.66, reported by Pavel Kohout of Aisle Research on March 2, 2026.mod_dav_lock that allows an attacker to crash the server using a maliciously crafted request. Notably, mod_dav_lock is not used internally by mod_dav or mod_dav_fs — its only known use case was with mod_dav_svn from Apache Subversion versions prior to 1.2.0. As a mitigation, administrators who cannot upgrade immediately may simply remove mod_dav_lock.| CVE | Severity | Component | Impact | Affected Versions |
|---|---|---|---|---|
| CVE-2026-23918 | High (CVSS 8.8) | HTTP/2 | Double Free / RCE | 2.4.66 only |
| CVE-2026-24072 | Moderate | mod_rewrite (ap_expr) | Privilege Escalation | ≤ 2.4.66 |
| CVE-2026-28780 | Low | mod_proxy_ajp | Heap Buffer Overflow | ≤ 2.4.66 |
| CVE-2026-29168 | Low | mod_md (OCSP) | Resource Exhaustion | 2.4.30–2.4.66 |
| CVE-2026-29169 | Low | mod_dav_lock | NULL Ptr Dereference / DoS | ≤ 2.4.66 |
Given Apache HTTP Server’s enormous global footprint, the RCE risk posed by CVE-2026-23918 represents a significant threat to enterprise infrastructure worldwide. Administrators should take the following actions immediately:
mod_dav_lock if the module is not in active use, as an interim mitigation for CVE-2026-29169..htaccess permissions to limit exposure to CVE-2026-24072 in environments where local user access is a concern.
Powered by
