Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE

Source: The Hacker News

[Image: Apache HTTP Server]

Overview

The Apache Software Foundation (ASF) released security updates for the Apache HTTP Server that address several vulnerabilities, including a critical flaw that can lead to denial‑of‑service (DoS) and remote code execution (RCE).

Vulnerability Details

• CVE: CVE‑2026‑23918
• CVSS score: 8.8
• Affected version: Apache HTTP Server 2.4.66 (mod_http2)
• Fixed in: Apache HTTP Server 2.4.67

The issue is a double‑free in the HTTP/2 protocol handling code (h2_mplx.c). It is triggered when a client sends an HTTP/2 HEADERS frame immediately followed by a RST_STREAM frame with a non‑zero error code on the same stream, before the multiplexer has registered the stream. The sequence of callbacks leads to the same h2_stream pointer being added to the cleanup array twice, causing a second apr_pool_destroy on already‑freed memory.

Discovery and Credits

The vulnerability was discovered and reported by:

• Bartlomiej Dmitruk, co‑founder of Striga.ai
• Stanislaw Strzalkowski, researcher at ISEC.pl

Their contribution is acknowledged in the Apache mailing list thread: .

Exploitation Details

Denial‑of‑Service (DoS)

• Requires only one TCP connection and two frames (HEADERS + RST_STREAM).
• No authentication, special headers, or specific URL needed.
• The worker process crashes; Apache respawns it, but all requests handled by the crashed worker are dropped.
• The attack can be sustained as long as the attacker continues sending the frames.

Remote Code Execution (RCE)

• Feasible on systems using the APR mmap allocator (default on Debian‑derived distributions and the official httpd Docker image).
• Exploit chain (demonstrated on x86_64) involves:
  1. Reusing the freed virtual address via mmap to place a fake h2_stream structure.
  2. Pointing the pool cleanup function to system().
  3. Using Apache’s scoreboard memory as a stable container for the fake structures and the command string.

[Image: ThreatLocker illustration]

• The scoreboard resides at a fixed address for the server’s lifetime, making the RCE path practical despite ASLR.
• Exploitation still requires an information leak to obtain the address of system() and scoreboard offsets; heap spraying is probabilistic, but a working proof‑of‑concept succeeded in a lab within minutes.

Mitigation and Recommendations

• Upgrade to Apache HTTP Server 2.4.67 or later, which contains the fix for CVE‑2026‑23918.
• If upgrading is not immediately possible, disable the mod_http2 module or switch to the prefork MPM, which is not affected by this flaw.
• Review server configurations to ensure that HTTP/2 is only enabled where necessary.
• Apply standard hardening practices: keep the APR library up to date, limit exposure of the scoreboard, and monitor for abnormal worker crashes.

By promptly applying the security updates and reviewing module usage, administrators can mitigate both the DoS and potential RCE risks associated with this critical vulnerability.