CVE-2026-23918EXPLOITEDPATCHED

apache · http_server

Apache HTTP Server: http2: double free and possible RCE on early reset

Description

The vulnerability, tracked as CVE-2026-23918, has been described as a case of 'double free and possible RCE' in the HTTP/2 protocol handling.

Affected Products

Vendor	Product	Versions
apache	http_server	2.4.66, 2.4.67

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
apache	http	cert_advisory	90%

References

https://httpd.apache.org/security/vulnerabilities_24.html(vendor-advisory)

Related News (7 articles)

Tier D

Heise Security3h ago

Apache HTTP Server: Hochriskante Lücken ermöglichen Einschleusen von Schadcode

→ No new info (linked only)

Tier D

The Hacker News22h ago

Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE

→ No new info (linked only)

Tier D

SecurityWeek1d ago

Critical, High-Severity Vulnerabilities Patched in Apache MINA, HTTP Server

→ No new info (linked only)

Tier B

BSI Advisories1d ago

[NEU] [hoch] Apache HTTP Server: Mehrere Schwachstellen

→ No new info (linked only)

Tier B

CERT-FR1d ago

Multiples vulnérabilités dans Apache HTTP Server (05 mai 2026)

→ No new info (linked only)

Tier C

oss-security1d ago

CVE-2026-23918: Apache HTTP Server: http2: double free and possible RCE on early reset

→ No new info (linked only)

Tier C

VulDB1d ago

CVE-2026-23918 | Apache HTTP Server 2.4.66 HTTP/2 double free

→ No new info (linked only)

CVSS 3.18.8 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

https://httpd.apache.org/security/vulnerabilities_24.html

CWECWE-415

PublishedMay 4, 2026

Last enriched21h agov3

Trending Score81

Source articles7

Independent7

Info Completeness10/14

Missing: epss, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2026-34032EXP

Apache HTTP Server: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string)

Trending: 78

NONECVE-2026-24072EXP

Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr

Trending: 70

HIGHCVE-2026-34059

Apache HTTP Server: mod_proxy_ajp: Heap Over-Read and memory disclosure in ajp_parse_data()

Trending: 63

NONECVE-2026-33006EXP

Apache HTTP Server: mod_auth_digest timing attack

Trending: 62

HIGHCVE-2026-29169

Apache HTTP Server: mod_dav_lock indirect lock crash

Trending: 59

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 4, 2026

Discovered by ZDM

May 4, 2026

Actively Exploited

May 5, 2026

Exploit Available

May 5, 2026

Patch Available

May 5, 2026

Updated: affectedVersions

May 5, 2026

Updated: description, exploitAvailable, activelyExploited

May 5, 2026

Version History

Last enriched 21h ago

v3Tier D21h ago

Updated description with CVE-2026-23918, marked exploit as available, noted it is actively exploited, and indicated no patch version number provided.

descriptionexploitAvailableactivelyExploited

via The Hacker News

v2Tier D1d ago

Updated description with new technical details, marked the vulnerability as CRITICAL, and noted that it is actively exploited.

affectedVersions

via SecurityWeek

v11d ago

Initial creation