CVE-2026-23918

8.8

High

Published:4 May 2026

Last updated:17 Jun 2026

Source:security@apache.org

Analyzed

Weakness (CWE)

CWE-415Double Free

CVSS Vector

v3.1

Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High

View on MITRE Find PoC on GitHub

Description

Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Exploits

525772026-05-26webappsMultiple

Apache HTTP Server 2.4.66 - 'mod_http2' Double-Free Denial of Service

By alisunbul

References

security@apache.org

https://httpd.apache.org/security/vulnerabilities_24.html

af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2026/05/04/19

Description

Exploits

Apache HTTP Server 2.4.66 - &#039;mod_http2&#039; Double-Free Denial of Service

References

Description

Exploits

Apache HTTP Server 2.4.66 - &#039;mod_http2&#039; Double-Free Denial of Service

References

Apache HTTP Server 2.4.66 - 'mod_http2' Double-Free Denial of Service

Apache HTTP Server 2.4.66 - 'mod_http2' Double-Free Denial of Service