Description
Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.

This issue affects Apache HTTP Server: 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Published: 2026-05-04
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A double free in the HTTP/2 implementation of Apache HTTP Server can be triggered during an early reset, potentially allowing an attacker to execute arbitrary code on the server. The flaw falls under CWE‑415 and can compromise confidentiality, integrity, and availability if exploited.

Affected Systems

The vulnerability affects Apache HTTP Server version 2.4.66, as delivered by the Apache Software Foundation. Upgrade to version 2.4.67 removes the issue.

Risk and Exploitability

With a CVSS score of 8.8, the vulnerability is high severity. While the EPSS score is not available and the flaw is not listed in the CISA KEV catalog, the remote code execution potential and the lack of mitigation in the affected release suggest a high likelihood that malicious actors may exploit the weakness. The absence of public exploitation data does not reduce the risk, as similar double‑free conditions have historically led to successful attacks.

Generated by OpenCVE AI on May 4, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache HTTP Server to version 2.4.67 or later.
  • If upgrading is not immediately possible, disable HTTP/2 support by removing 'h2' from the 'Protocols' directive or setting 'Protocols http/1.1' to avoid triggering the vulnerability.
  • Verify that the system is not processing HTTP/2 traffic until the upgrade is applied or the protocol is disabled.

Generated by OpenCVE AI on May 4, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:http_server:2.4.66:*:*:*:*:*:*:*

Mon, 04 May 2026 18:30:00 +0000

Type Values Removed Values Added
References

Mon, 04 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache http Server
Vendors & Products Apache
Apache http Server

Mon, 04 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 04 May 2026 15:00:00 +0000

Type Values Removed Values Added
Description Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Title Apache HTTP Server: http2: double free and possible RCE on early reset
Weaknesses CWE-415
References

Subscriptions

Apache Http Server
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-04T17:32:35.852Z

Reserved: 2026-01-19T13:00:21.720Z

Link: CVE-2026-23918

cve-icon Vulnrichment

Updated: 2026-05-04T17:32:35.852Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-04T15:16:03.583

Modified: 2026-05-04T20:24:58.200

Link: CVE-2026-23918

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T18:00:05Z

Weaknesses