Apache Software Foundation has released HTTP Server version 2.4.67 to address five security vulnerabilities, including a high-severity double free flaw (CVE-2026-23918) in the HTTP/2 implementation that could allow remote code execution (RCE) on affected systems running version 2.4.66.
The May 4, 2026, security release is a mandatory upgrade for administrators operating any Apache HTTP Server deployment. With Apache powering a significant portion of the world’s web infrastructure, the scope of exposure from these vulnerabilities is substantial and demands immediate action.
The most severe vulnerability patched in this release is CVE-2026-23918, which is important and has a CVSS base score of 8.8 (High). This flaw is a classic double-free memory corruption bug (CWE-415) triggered within Apache’s HTTP/2 protocol handler when a stream undergoes an “early reset,” a condition that a remote attacker can deliberately force.
Critical Apache HTTP/2 RCE Vulnerability
A double-free vulnerability occurs when a program attempts to free the same memory address twice. In HTTP/2, this error is triggered during specific stream reset sequences, leading to heap corruption. Successful exploitation could allow a low-privileged remote attacker to execute arbitrary code on the vulnerable server without requiring physical access.
The vulnerability was discovered by Bartlomiej Dmitruk of striga.ai and Stanislaw Strzalkowski of isec.pl, first reported to the Apache security team on December 10, 2025, and fixed in revision r1930444 the following day.
Only Apache HTTP Server version 2.4.66 is affected by this specific flaw. Administrators running this exact version face the highest risk and should treat this patch as an emergency update.
Rated moderate, CVE-2026-24072 is an escalation of privilege vulnerability present in Apache HTTP Server 2.4.66 and earlier. The flaw resides in how various modules process ap_expr expressions, which are commonly embedded within .htaccess files.
A local user with the ability to author .htaccess configurations can exploit this bug to read arbitrary files with the privileges of the httpd process, including sensitive configuration files, private keys, or application secrets that would otherwise be restricted.
This vulnerability was reported to the Apache security team on January 20, 2026, by researcher y7syeu. While the attack requires local access rather than remote exploitation, the risk remains significant in shared hosting environments or scenarios where multiple users can modify .htaccess files. The fix is included in version 2.4.67.
CVE-2026-28780 is a low-severity heap-based buffer overflow affecting mod_proxy_ajp, Apache’s module for proxying requests to AJP backend servers. The vulnerability exists in the ajp_msg_check_header() function.
If mod_proxy_ajp is configured to connect to a malicious or compromised AJP backend, that server can craft a specially malformed AJP message that causes Apache to write 4 attacker-controlled bytes beyond the end of a heap buffer. This class of write-primitive vulnerability, while rated low in isolation, can serve as a foundation for chained exploitation.
The flaw was reported by a team of four researchers, Andrew Lacambra, Elhanan Haenel, Tianshuo Han, and Tristan Madani, across multiple coordinated disclosures between February and March 2026. All versions through 2.4.66 are affected; upgrading to 2.4.67 fully resolves the issue.
CVE-2026-29168 affects Apache HTTP Server versions 2.4.30 through 2.4.66 and targets the mod_md module, which manages TLS certificates through the ACME protocol. The vulnerability is classified as an Allocation of Resources Without Limits or Throttling flaw (CWE-770).
When mod_md processing an OCSP (Online Certificate Status Protocol) response, it does not apply adequate size constraints to the incoming data, potentially enabling a malicious OCSP responder to exhaust server memory resources.
Discovered by Pavel Kohout of Aisle Research and reported on March 2, 2026, this vulnerability could destabilize servers that rely heavily on mod_md for automated certificate lifecycle management. The patch in 2.4.67 introduces proper throttling of OCSP response data allocation.
The fifth vulnerability, CVE-2026-29169, is a NULL pointer dereference in mod_dav_lock rated low severity. By sending a specially crafted WebDAV request, an attacker can crash the Apache HTTP Server process a classic Denial of Service (DoS) condition.
Notably, mod_dav_lock is not used internally by mod_dav or mod_dav_fs; the only known production use case was mod_dav_svn from Apache Subversion versions earlier than 1.2.0.
Also reported by Pavel Kohout of Aisle Research on March 4, 2026, this bug affects all versions through 2.4.66. Administrators who do not use WebDAV locking with legacy Subversion setups are advised to remove mod_dav_lock from their configuration as a mitigation measure until they upgrade.
| CVE | Severity | Component | Impact | Affected Versions |
|---|---|---|---|---|
| CVE-2026-23918 | High (8.8) | HTTP/2 | Remote Code Execution | 2.4.66 only |
| CVE-2026-24072 | Moderate | mod_rewrite / ap_expr | Privilege Escalation | Through 2.4.66 |
| CVE-2026-28780 | Low | mod_proxy_ajp | Heap Buffer Overflow | Through 2.4.66 |
| CVE-2026-29168 | Low | mod_md / OCSP | Resource Exhaustion | 2.4.30–2.4.66 |
| CVE-2026-29169 | Low | mod_dav_lock | DoS / Server Crash | Through 2.4.66 |
Mitigation
All five vulnerabilities are patched in Apache HTTP Server 2.4.67, released on May 4, 2026. Security teams should take the following actions without delay:
- Upgrade immediately to Apache HTTP Server 2.4.67 from the official Apache download portal
- Identify exposed assets using inventory queries targeting
version:=2.4.66in your network discovery tools - Disable HTTP/2 temporarily on critical public-facing servers if immediate patching is not feasible, to mitigate CVE-2026-23918
- Remove mod_dav_lock if not required, as an immediate workaround for CVE-2026-29169
- Audit .htaccess configurations in shared hosting environments to reduce the local attack surface of CVE-2026-24072
- Review the AJP backend trust boundaries only allow
mod_proxy_ajpto connect to trusted, controlled backend servers
FAQ
Q1: Is CVE-2026-23918 being actively exploited in the wild?
No active exploitation has been confirmed at the time of publication, but the high CVSS score of 8.8 and the potential for RCE make rapid patching critical.
Q2: Does CVE-2026-23918 affect all Apache HTTP Server versions?
No, it affects only version 2.4.66; earlier and later versions are not affected by this specific double-free flaw.
Q3: Can disabling HTTP/2 mitigate CVE-2026-23918 without upgrading?
Yes, disabling HTTP/2 (Protocols http/1.1 in your config) removes the attack vector, but upgrading to 2.4.67 remains the only complete fix.
Q4: Where can I download Apache HTTP Server 2.4.67?
The official patched release is available directly from the Apache HTTP Server Project at httpd.apache.org, with full security advisory details published at the official vulnerabilities page.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
