Cyber Resilience

CVE-2026-23918

High

Published: 04 May 2026

Published
04 May 2026
Modified
04 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4280 98.5th percentile
Risk Priority 60 floored blend · peak EPSS

Summary

CVE-2026-23918 is a high-severity Double Free (CWE-415) vulnerability in Apache Http Server. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-23918 is a double-free vulnerability, assigned CWE-415, that affects Apache HTTP Server version 2.4.66 when the HTTP/2 protocol is in use and can lead to remote code execution. The flaw resides in the server’s HTTP/2 handling code and carries a CVSS 3.1 base score of 8.8.

An authenticated remote attacker who can send crafted HTTP/2 requests to an affected server may trigger the double-free condition, potentially resulting in arbitrary code execution with the privileges of the httpd process.

The Apache project’s security page and the oss-security mailing list both state that users should upgrade to version 2.4.67, which contains the fix; no other mitigations are described in the references.

The associated EPSS score has remained flat at 0.0112 with no material increase since disclosure.

EU & UK References

Vulnerability details

Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Double-free memory corruption in Apache HTTP Server's HTTP/2 handling directly enables remote code execution against a public-facing web application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34059Same product: Apache Http Server
CVE-2026-29168Same product: Apache Http Server
CVE-2026-29169Same product: Apache Http Server
CVE-2026-24072Same product: Apache Http Server
CVE-2024-52577Same vendor: Apache
CVE-2025-66236Same vendor: Apache
CVE-2026-41919Same vendor: Apache
CVE-2026-46586Same vendor: Apache
CVE-2026-41409Same vendor: Apache
CVE-2025-67895Same vendor: Apache

Affected Assets

apache
http server
2.4.66

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identifying the vulnerable Apache 2.4.66 binary and applying the vendor-supplied update to 2.4.67 that eliminates the double-free flaw.

prevent

Limits the httpd worker process to the minimum privileges needed, reducing the impact of successful RCE even if the double-free is triggered.

prevent

Requires memory-protection mechanisms (ASLR, NX, guard pages) that raise the difficulty of reliably exploiting the double-free condition for code execution.

References