A memory management flaw buried inside Apache HTTP Server's HTTP/2 module is giving attackers two options: crash your web server with a two-frame network packet, or — under the right conditions — run arbitrary code on it.
The Apache Software Foundation shipped a fix on May 4 as part of the 2.4.67 release, but every installation still running 2.4.66 with HTTP/2 enabled is exposed right now.
The vulnerability, CVE-2026-23918 (CVSS 8.8), was discovered by Bartlomiej Dmitruk, co-founder of Striga.ai, and Stanislaw Strzalkowski of ISEC.pl. It is a double-free — a class of memory corruption bug where the same chunk of memory gets released twice — inside h2_mplx.c, the stream cleanup path of mod_http2.
What triggers it?
The bug fires when a client sends an HTTP/2 HEADERS frame immediately followed by an RST_STREAM frame on the same stream before the server's multiplexer has had a chance to register the stream. Two internal callbacks — on_frame_recv_cb and on_stream_close_cb — both fire in rapid succession and independently walk the same cleanup path, pushing the same stream pointer into the purge queue twice.
When Apache later iterates that queue and calls apr_pool_destroy on each entry, the second call hits memory that is already gone.
Two outcomes, very different threat levels
The DoS is the easy one. Dmitruk described it bluntly: one TCP connection, two frames, no authentication, no special headers, no specific URL. The worker process crashes. Apache respawns it automatically, but every request it was handling is dropped — and an attacker can keep cycling this indefinitely.
The remote code execution scenario is more demanding but not theoretical. The research team built a working proof-of-concept on x86-64. It exploits the freed memory via mmap reuse to plant a fake stream structure pointing Apache's own pool cleanup function at system().
The key enabler is Apache's scoreboard memory, which sits at a fixed address for the entire lifetime of the server process — even with ASLR (address space layout randomization) active — giving attackers a stable target. The RCE path specifically requires Apache Portable Runtime (APR) compiled with the mmap allocator, which happens to be the default on Debian-based Linux systems and the official Apache httpd Docker image.
One important carve-out: the MPM prefork mode is not affected. But because mod_http2 ships enabled in default Apache builds and HTTP/2 is standard in most production environments today, the exposed attack surface is significant.
The bigger patch batch
The 2.4.67 update patches nine additional vulnerabilities alongside CVE-2026-23918, including a moderate privilege escalation in mod_rewrite (CVE-2026-24072), a timing attack against digest authentication (CVE-2026-33006), and a cluster of AJP proxy memory-handling issues.
Upgrade to Apache HTTP Server 2.4.67 immediately. If an immediate upgrade is not feasible, disabling mod_http2 removes the primary attack surface for CVE-2026-23918. Operators running Debian-derived systems or the official Docker image should treat the RCE risk as real and urgent, not theoretical.