Cyber Posture

CVE-2026-23918

High

Published: 04 May 2026

Published
04 May 2026
Modified
04 May 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0007 20.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23918 is a high-severity Double Free (CWE-415) vulnerability in Apache Http Server. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly requires timely patching and remediation of known software flaws like the double-free vulnerability in Apache HTTP Server 2.4.66 to prevent RCE.

SI-16 Memory Protection partial match
prevent

Implements memory protection safeguards such as ASLR and DEP that hinder exploitation of double-free vulnerabilities for arbitrary code execution.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Vulnerability scanning detects the presence of CVE-2026-23918 in Apache HTTP Server deployments, enabling targeted remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Double-free memory corruption in Apache HTTP Server's HTTP/2 handling directly enables remote code execution against a public-facing web application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Deeper analysisAI

CVE-2026-23918 is a double-free vulnerability in the Apache HTTP Server that can lead to remote code execution (RCE) when processing the HTTP/2 protocol. It affects version 2.4.66 of the Apache HTTP Server. The issue is classified under CWE-415 (Double Free) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for network-based exploitation with low complexity and privileges.

An attacker with low privileges, such as an authenticated user, can exploit this vulnerability over the network without requiring user interaction. Successful exploitation allows arbitrary code execution on the server, resulting in high impacts to confidentiality, integrity, and availability, potentially compromising the entire affected system.

The official Apache HTTP Server security advisory recommends upgrading to version 2.4.67, which addresses the vulnerability. Additional details are available in the Apache vulnerabilities page at https://httpd.apache.org/security/vulnerabilities_24.html and the oss-security mailing list announcement at http://www.openwall.com/lists/oss-security/2026/05/04/19.

Details

CWE(s)
CWE-415

Affected Products

apache
http server
2.4.66

CVEs Like This One

CVE-2026-34059Same product: Apache Http Server
CVE-2026-29168Same product: Apache Http Server
CVE-2026-24072Same product: Apache Http Server
CVE-2026-29169Same product: Apache Http Server
CVE-2024-55532Same vendor: Apache
CVE-2026-31908Same vendor: Apache
CVE-2025-54466Same vendor: Apache
CVE-2026-40466Same vendor: Apache
CVE-2025-24783Same vendor: Apache
CVE-2026-24343Same vendor: Apache

References