Impact
The vulnerability is a double free in the HTTP/2 implementation of Apache HTTP Server, which can lead to arbitrary code execution. The flaw involves improper memory deallocation identified by CWE-415 and CWE-1341, and the CVE description notes that exploitation could result in remote code execution. The available information does not specify exact conditions for exploitation, but the potential impact includes full compromise of the affected system.
Affected Systems
The flaw affects the Apache HTTP Server 2.4.66 version provided by the Apache Software Foundation. Upgrading to 2.4.67 removes the vulnerability.
Risk and Exploitability
With a CVSS score of 8.8, the vulnerability is high severity. The EPSS score of 46% indicates a substantial likelihood that the flaw will be actively exploited in the wild. The likely attack vector is via an HTTP/2 connection initiated by an external client, as the flaw resides in the HTTP/2 implementation. The vulnerability is not listed in the CISA KEV catalog, but the combination of a high severity rating and a relatively high probability score suggests a need for prompt remediation.
OpenCVE Enrichment
Debian DSA
Ubuntu USN