Description
Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.

This issue affects Apache HTTP Server: 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Published: 2026-05-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A double free in the HTTP/2 implementation of Apache HTTP Server can be triggered during an early reset, potentially allowing an attacker to execute arbitrary code on the server. The flaw involves both double‑free semantics described by CWE‑415 and the uncontrolled memory deallocation pattern of CWE‑1341, and can compromise confidentiality, integrity, and availability if exploited.

Affected Systems

The vulnerability affects Apache HTTP Server version 2.4.66, as delivered by the Apache Software Foundation. Upgrade to version 2.4.67 removes the issue.

Risk and Exploitability

With a CVSS score of 8.8, the vulnerability is high severity. However, the EPSS score is < 1 % and the flaw is not listed in the CISA KEV catalog, indicating a low probability of exploitation. While remote code execution is possible if the double‑free is triggered, the likelihood of an attacker successfully exploiting the weakness in practice is considered low at this time, and no public exploitation data has been reported.

Generated by OpenCVE AI on May 6, 2026 at 01:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache HTTP Server to version 2.4.67 or later.
  • If upgrading is not immediately possible, disable HTTP/2 support by removing 'h2' from the 'Protocols' directive or setting 'Protocols http/1.1' to avoid triggering the vulnerability.
  • Verify that the system is not processing HTTP/2 traffic until the upgrade is applied or the protocol is disabled.

Generated by OpenCVE AI on May 6, 2026 at 01:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6248-1 apache2 security update
Ubuntu USN Ubuntu USN USN-8239-1 Apache HTTP Server vulnerabilities
History

Wed, 06 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1341
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 04 May 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:http_server:2.4.66:*:*:*:*:*:*:*

Mon, 04 May 2026 18:30:00 +0000

Type Values Removed Values Added
References

Mon, 04 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache http Server
Vendors & Products Apache
Apache http Server

Mon, 04 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 04 May 2026 15:00:00 +0000

Type Values Removed Values Added
Description Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Title Apache HTTP Server: http2: double free and possible RCE on early reset
Weaknesses CWE-415
References

Subscriptions

Apache Http Server
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-05T03:56:10.684Z

Reserved: 2026-01-19T13:00:21.720Z

Link: CVE-2026-23918

cve-icon Vulnrichment

Updated: 2026-05-04T17:32:35.852Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-04T15:16:03.583

Modified: 2026-05-04T20:24:58.200

Link: CVE-2026-23918

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-04T14:44:28Z

Links: CVE-2026-23918 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T02:00:12Z

Weaknesses