Apache HTTP/2 Critical Double-Free Vulnerability (CVE-2026-23918) Enables RCE and DoS Attacks
- May 6
- 2 min read
Key Findings
Apache HTTP Server 2.4.66 contains CVE-2026-23918, a critical double-free vulnerability in HTTP/2 handling with a CVSS score of 8.8
The flaw enables both denial-of-service attacks and remote code execution under certain conditions
Affected versions are patched in Apache 2.4.67
Exploitation requires minimal effort for DoS but RCE demands specific server configurations with APR mmap allocator
MPM prefork mode is not affected, but HTTP/2's widespread deployment significantly increases exposure
Background
The Apache Software Foundation released security updates addressing multiple vulnerabilities in its HTTP Server, with particular focus on CVE-2026-23918. Security researchers Bartlomiej Dmitruk from striga.ai and Stanislaw Strzalkowski from isec.pl discovered the flaw. The vulnerability represents a significant threat because HTTP/2 support ships in default Apache builds and is commonly enabled across production environments.
Technical Details of the Double-Free Vulnerability
The vulnerability exists in mod_http2 within the stream cleanup path of h2_mplx.c. The bug triggers when a client sends an HTTP/2 HEADERS frame immediately followed by RST_STREAM with a non-zero error code on the same stream before the multiplexer registers the stream. Two nghttp2 callbacks then execute in sequence, firing both on_frame_recv_cb for the reset and on_stream_close_cb for the close event. Both callbacks invoke h2_mplx_c1_client_rst, which calls m_stream_cleanup and pushes the same h2_stream pointer onto the spurge cleanup array twice. When c1_purge_streams later iterates through spurge and calls h2_stream_destroy followed by apr_pool_destroy on each entry, the second call accesses memory that has already been freed, causing memory corruption.
Denial-of-Service Attack Path
The DoS exploitation path is trivial and works on any default deployment running mod_http2 with a multi-threaded MPM. An attacker needs only a single TCP connection and two frames to crash a worker process, with no authentication, special headers, or specific URL required. Apache automatically respawns the crashed worker, but all requests to that worker are dropped during the attack. An attacker can sustain this pattern indefinitely by repeatedly sending the malicious frame sequence, effectively degrading service availability.
Remote Code Execution Requirements
The RCE path is more complex and demands specific server configurations. It requires Apache Portable Runtime with the mmap allocator, which is the default configuration on Debian-derived systems and official httpd Docker images. Researchers built a working proof of concept on x86_64 that places a fake h2_stream struct at the freed virtual address through mmap reuse and points its pool cleanup function to system(). The exploit leverages Apache's scoreboard memory as a stable container for fake structures and command strings. Since the scoreboard sits at a fixed address throughout the server's lifetime regardless of ASLR, this makes the RCE practical. However, successful exploitation requires an information leak for the system() function and scoreboard offsets, and the heap spray remains probabilistic. In laboratory conditions, execution occurs within minutes.
Impact Assessment and Recommendations
The attack surface is large given that mod_http2 ships in default builds and HTTP/2 is widely enabled across production systems. While MPM prefork mode remains unaffected, most modern deployments use multi-threaded MPM configurations. Users are strongly advised to upgrade to Apache HTTP Server version 2.4.67 or later to mitigate both the DoS and potential RCE threats posed by this vulnerability.
Sources
https://securityaffairs.com/191759/security/apache-fixes-critical-http-2-double-free-flaw-cve-2026-23918-enabling-rce.html
https://thehackernews.com/2026/05/critical-apache-http2-flaw-cve-2026.html

Comments