CVE-2026-23918
Published: 04 May 2026
Summary
CVE-2026-23918 is a high-severity Double Free (CWE-415) vulnerability in Apache Http Server. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-23918 is a double-free vulnerability, assigned CWE-415, that affects Apache HTTP Server version 2.4.66 when the HTTP/2 protocol is in use and can lead to remote code execution. The flaw resides in the server’s HTTP/2 handling code and carries a CVSS 3.1 base score of 8.8.
An authenticated remote attacker who can send crafted HTTP/2 requests to an affected server may trigger the double-free condition, potentially resulting in arbitrary code execution with the privileges of the httpd process.
The Apache project’s security page and the oss-security mailing list both state that users should upgrade to version 2.4.67, which contains the fix; no other mitigations are described in the references.
The associated EPSS score has remained flat at 0.0112 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26955
Vulnerability details
Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Double-free memory corruption in Apache HTTP Server's HTTP/2 handling directly enables remote code execution against a public-facing web application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires identifying the vulnerable Apache 2.4.66 binary and applying the vendor-supplied update to 2.4.67 that eliminates the double-free flaw.
Limits the httpd worker process to the minimum privileges needed, reducing the impact of successful RCE even if the double-free is triggered.
Requires memory-protection mechanisms (ASLR, NX, guard pages) that raise the difficulty of reliably exploiting the double-free condition for code execution.