CVE-2026-23918 PUBLISHED

Apache HTTP Server: http2: double free and possible RCE on early reset

Assigner: apache
Reserved: 19.01.2026 Published: 04.05.2026 Updated: 05.05.2026

Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.

This issue affects Apache HTTP Server: 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Product Status

Vendor Apache Software Foundation
Product Apache HTTP Server
Versions Default: unaffected
  • Version 2.4.66 is affected

Credits

  • Bartlomiej Dmitruk, striga.ai finder
  • Stanislaw Strzalkowski, isec.pl finder

References

Problem Types

  • CWE-415 Double Free CWE