Apache HTTP Server 2.4.67 fixes HTTP/2 flaw that could lead to remote code execution
5 min. read 
Published on
Apache HTTP Server 2.4.67 is now available with fixes for several security vulnerabilities, including a serious HTTP/2 flaw that can cause a double-free memory error and possible remote code execution. Administrators running Apache HTTP Server 2.4.66 should treat this update as urgent.
The main issue is tracked as CVE-2026-23918. Apache rates it as important, while external scoring lists it as a high-severity issue with a CVSS score of 8.8. The flaw affects Apache HTTP Server 2.4.66 and was fixed in version 2.4.67, released on May 4, 2026.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The risk centers on Apache’s HTTP/2 handling. If an attacker triggers the vulnerable stream reset behavior, the server can free the same memory twice. That type of memory corruption can crash processes and may allow code execution under the right conditions.
What CVE-2026-23918 does
CVE-2026-23918 is a double-free vulnerability in Apache HTTP Server’s HTTP/2 implementation. A double-free bug happens when software releases the same memory area more than once, which can corrupt the server’s memory state.
In this case, the problem happens during an early HTTP/2 stream reset. Public technical analysis says the flaw can be triggered when a client sends an HTTP/2 HEADERS frame followed quickly by a RST_STREAM frame before the stream is fully registered.
The most immediate impact is a crash or denial of service. Apache’s advisory also warns about possible remote code execution, which is why administrators should patch instead of waiting for more public exploit details.
At a glance
| Detail | Information |
|---|---|
| Main CVE | CVE-2026-23918 |
| Affected product | Apache HTTP Server |
| Affected version | 2.4.66 |
| Fixed version | 2.4.67 |
| Release date | May 4, 2026 |
| Vulnerable area | HTTP/2 implementation |
| Impact | Double-free memory corruption, denial of service, possible remote code execution |
| Apache severity | Important |
Why this patch matters
Apache HTTP Server remains one of the most widely deployed web servers, so even a version-specific flaw can affect many public and private systems. The risk grows when servers expose HTTP/2 to the internet.
Attackers usually move quickly after public advisories appear. Memory corruption bugs in internet-facing services attract attention because they can give attackers a direct path to crash services or test exploit chains.
The safest response is to upgrade to Apache HTTP Server 2.4.67. Temporary mitigations can reduce exposure, but they do not replace the fixed version.
Other vulnerabilities fixed in Apache 2.4.67
| CVE | Severity | Component | Impact | Affected versions |
|---|---|---|---|---|
| CVE-2026-23918 | Important | HTTP/2 | Double-free and possible RCE | 2.4.66 |
| CVE-2026-24072 | Moderate | mod_rewrite and ap_expr | Local .htaccess authors can read files as the httpd user | 2.4.66 and earlier |
| CVE-2026-28780 | Low | mod_proxy_ajp | Heap-based buffer overflow from a malicious AJP server | 2.4.66 and earlier |
| CVE-2026-29168 | Low | mod_md | Resource exhaustion through unrestricted OCSP response data | 2.4.30 through 2.4.66 |
| CVE-2026-29169 | Low | mod_dav_lock | NULL pointer dereference and server crash | 2.4.66 and earlier |
| CVE-2026-33006 | Moderate | mod_auth_digest | Digest authentication bypass through timing attack | 2.4.66 |
| CVE-2026-33007 | Low | mod_authn_socache | Child process crash in caching forward proxy configuration | 2.4.0 through 2.4.66 |
| CVE-2026-33523 | Low | Multiple modules | HTTP response splitting with untrusted backend servers | 2.4.66 and earlier |
| CVE-2026-33857 | Low | mod_proxy_ajp | Out-of-bounds read | 2.4.66 and earlier |
| CVE-2026-34032 | Low | mod_proxy_ajp | Heap over-read from missing null termination checks | 2.4.66 and earlier |
| CVE-2026-34059 | Low | mod_proxy_ajp | Heap over-read and possible memory disclosure | 2.4.66 and earlier |
The .htaccess issue matters for shared hosting
CVE-2026-24072 also deserves attention, especially on shared hosting systems. This flaw allows local .htaccess authors to read files with the privileges of the httpd user.
That does not create the same internet-facing remote risk as the HTTP/2 double-free bug. Still, it can matter in environments where multiple users can upload or edit .htaccess files on the same server.
Hosting providers should review which customers or local accounts can write .htaccess files. They should also limit access to sensitive files that the httpd process can read.
AJP and module-specific bugs also received fixes
Apache 2.4.67 also fixes several lower-severity flaws in mod_proxy_ajp. These issues involve buffer overflows, over-reads, and memory disclosure risks when Apache connects to a malicious or compromised AJP backend.
The update also patches bugs in mod_md, mod_dav_lock, mod_auth_digest, and mod_authn_socache. Some of these issues can crash server processes, while others affect authentication or resource use in specific configurations.
That means administrators should not only focus on HTTP/2. The broader update improves safety across several optional modules that may still appear in production configurations.
What administrators should do now
- Upgrade Apache HTTP Server to version 2.4.67 as soon as possible.
- Check the installed version with httpd -v or apachectl -v.
- Restart Apache after the package update completes.
- Disable HTTP/2 temporarily if an immediate upgrade is not possible.
- Remove or disable mod_dav_lock if it is not actively used.
- Review .htaccess write permissions on shared hosting systems.
- Check whether mod_proxy_ajp connects only to trusted backend servers.
- Monitor logs for unusual HTTP/2 reset behavior and repeated worker crashes.
Temporary mitigation is not enough
Disabling HTTP/2 can reduce exposure to CVE-2026-23918, but it only addresses the most severe flaw in the update. It does not fix the other vulnerabilities patched in Apache 2.4.67.
Removing unused modules can also reduce attack surface. For example, administrators who do not need mod_dav_lock should disable it, especially because Apache notes that its known use case was tied to very old Apache Subversion deployments.
The complete fix remains a full upgrade to Apache HTTP Server 2.4.67. Teams that use packaged Apache builds should monitor Linux distribution, container, control panel, and vendor updates if they do not compile Apache directly.
FAQ
Apache rates the issue as important. External scoring lists it as high severity with a CVSS score of 8.8 because of its possible remote code execution impact.
Apache HTTP Server 2.4.67 fixes CVE-2026-23918 and other vulnerabilities included in the May 2026 update.
The main HTTP/2 double-free flaw affects Apache HTTP Server 2.4.66.
CVE-2026-23918 is a double-free vulnerability in Apache HTTP Server’s HTTP/2 implementation. It can cause memory corruption, denial of service, and possible remote code execution.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages