Full Report
The Apache Software Foundation (ASF) has released security updates to address several security vulnerabilities in the HTTP Server, including a severe vulnerability that could potentially lead to remote code execution (RCE). The vulnerability, tracked as CVE-2026-23918 (CVSS score: 8.8), has been described as a case of "double free and possible RCE" in the HTTP/2 protocol handling. This issue
Analysis Summary
# Vulnerability: Apache HTTP/2 Double-Free RCE
## CVE Details
- **CVE ID:** CVE-2026-23918
- **CVSS Score:** 8.8 (High/Critical)
- **CWE:** CWE-415 (Double Free)
## Affected Systems
- **Products:** Apache HTTP Server
- **Versions:** Version 2.4.66
- **Configurations:**
- Systems with `mod_http2` enabled.
- Multi-threaded Multi-Processing Modules (MPMs) are vulnerable to DoS.
- Systems using the Apache Portable Runtime (APR) with `mmap` allocator (default on Debian-derived systems and official Docker images) are susceptible to the RCE path.
## Vulnerability Description
The flaw exists in `mod_http2`, specifically within the stream cleanup path of `h2_mplx.c`. It is triggered when a client sends an HTTP/2 `HEADERS` frame immediately followed by a `RST_STREAM` frame with a non-zero error code before the multiplexer registers the stream.
This sequence causes two `nghttp2` callbacks—`on_frame_recv_cb` and `on_stream_close_cb`—to fire sequentially. Both callbacks invoke `m_stream_cleanup`, which pushes the same `h2_stream` pointer onto the cleanup array twice. When the server later attempts to destroy these streams, it executes `apr_pool_destroy` on memory that has already been freed.
## Exploitation
- **Status:** PoC available (developed by researchers for x86_64).
- **Complexity:**
- **Low** for Denial of Service (DoS).
- **High** for Remote Code Execution (RCE) (requires info leaks and heap spraying).
- **Attack Vector:** Network (Unauthenticated).
## Impact
- **Confidentiality:** High (Potential for RCE).
- **Integrity:** High (Potential for RCE).
- **Availability:** High (Trivial worker process crashes/DoS).
## Remediation
### Patches
- **Apache HTTP Server 2.4.67:** Users should upgrade to this version immediately to resolve the issue.
### Workarounds
- **Disable HTTP/2:** If upgrading is not immediately possible, disabling `mod_http2` will mitigate the risk.
- **Switch MPM:** The vulnerability reportedly does not affect the `prefork` MPM, though switching MPMs may have significant performance implications.
## Detection
- **Indicators of Compromise:** Unusual patterns of worker process crashes (segmentation faults) followed by immediate respawns.
- **Detection Methods:** Monitor for rapid sequences of `HEADERS` followed by `RST_STREAM` on the same HTTP/2 stream identifier before stream registration completes.
## References
- **Vendor Advisory:** hxxps[://]httpd[.]apache[.]org/security/vulnerabilities_24[.]html
- **Mailing List:** hxxps[://]lists[.]apache[.]org/thread/otwt07gfnp6x2b58hnbghgs9r4ovy3yf
- **CVE Record:** hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-23918