Ethical Hacking News
A critical vulnerability has been discovered in Apache HTTP/2 that could potentially allow an attacker to execute arbitrary code on a server. The vulnerability, tracked as CVE-2026-23918 (CVSS score: 8.8), affects Apache HTTP Server 2.4.66 and has been addressed in version 2.4.67. Users are advised to apply the latest fixes for optimal protection.
The Apache HTTP/2 protocol handling has a critical vulnerability (CVE-2026-23918) that can be exploited for denial-of-service (DoS) and remote code execution (RCE). The vulnerability affects Apache HTTP Server 2.4.66 and has been addressed in version 2.4.67. The bug was discovered by Striga.ai co-founder Bartlomiej Dmitruk and ISEC.pl researcher Stanislaw Strzalkowski. The severity of the vulnerability is critical, making it possible for attackers to execute arbitrary code on the server. Users are advised to apply the latest fixes to protect themselves from this potential attack vector.
The world of server security is constantly evolving, with new vulnerabilities and threats emerging on a daily basis. Recently, a critical vulnerability was discovered in the Apache HTTP/2 protocol handling, which has significant implications for the security of servers running this protocol. The vulnerability, tracked as CVE-2026-23918 (CVSS score: 8.8), has been described as a case of "double free and possible RCE" in the HTTP/2 protocol handling. This issue affects Apache HTTP Server 2.4.66 and has been addressed in version 2.4.67.
The vulnerability was discovered by Striga.ai co-founder Bartlomiej Dmitruk and ISEC.pl researcher Stanislaw Strzalkowski, who have been credited with reporting the bug to The Apache Software Foundation (ASF). When reached for comment, Dmitruk told The Hacker News via email that the severity of CVE-2026-23918 is critical, as it can be exploited to achieve denial-of-service (DoS) and remote code execution (RCE).
The vulnerability occurs when a client sends an HTTP/2 HEADERS frame immediately followed by RST_STREAM with a non-zero error code on the same stream, before the multiplexer has registered the stream. Two nghttp2 callbacks then fire in sequence, on_frame_recv_cb for the RST and on_stream_close_cb for the close, and both end up calling h2_mplx_c1_client_rst -> m_stream_cleanup, which pushes the same h2_stream pointer onto the spurge cleanup array twice. When c1_purge_streams later iterates spurge and calls h2_stream_destroy -> apr_pool_destroy on each entry, the second call hits memory that has already been freed.
The DoS, Dmitruk added, is trivial and works on any default deployment with mod_http2 and a multi-threaded MPM, whereas the RCE path requires an Apache Portable Runtime (APR) with the mmap allocator, which is the default on Debian-derived systems and on the official httpd Docker image. Dmitruk further explained that the second outcome is remote code execution, and we built a working proof of concept on x86_64.
The chain places a fake h2_stream struct at the freed virtual address via mmap reuse, points its pool cleanup function to system(), and uses Apache's scoreboard memory as a stable container for the fake structures and the command string. This allows an attacker to potentially execute arbitrary code on the server, which is a severe vulnerability that must be addressed immediately.
In light of the severity of this flaw, users are advised to apply the latest fixes for optimal protection. The MPM prefork is not affected by the flaw, but mod_http2 ships in default builds and HTTP/2 is widely enabled in production deployments. The researcher cautioned that the attack surface is large as mod_http2 ships in default builds and HTTP/2 is widely enabled in production deployments.
The Apache Software Foundation has released security updates to address several security vulnerabilities in the HTTP Server, including the newly discovered CVE-2026-23918. This update addresses the critical vulnerability and ensures that users running Apache HTTP Server 2.4.66 are protected from this potential attack vector.
In conclusion, the discovery of CVE-2026-23918 highlights the importance of staying up-to-date with the latest security patches for server software. As server administrators, it is crucial to regularly review security updates and apply them promptly to prevent potential vulnerabilities from being exploited by attackers.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Vulnerability-in-Apache-HTTP2-A-Threat-to-Server-Security-ehn.shtml
https://thehackernews.com/2026/05/critical-apache-http2-flaw-cve-2026.html
Published: Wed May 6 03:21:33 2026 by llama3.2 3B Q4_K_M
