The Apache Software Foundation has released a crucial update for its HTTP Server, addressing five vulnerabilities, one of which is a severe double-free flaw that can lead to Remote Code Execution (RCE) in version 2.4.67. This update, issued on May 4, 2026, is vital for users operating on version 2.4.66 or earlier, who are strongly advised to upgrade without delay.
Critical Vulnerability Details
The most pressing issue, identified as CVE-2026-23918, has been given a High severity rating with a CVSS score of 8.8. This vulnerability is a double-free memory corruption bug that is triggered within the HTTP/2 protocol during an early stream reset. Such vulnerabilities occur when a program attempts to free the same memory space twice, leading to heap memory corruption and the potential for malicious code execution.
This flaw was discovered in Apache HTTP Server version 2.4.66 and reported by Bartlomiej Dmitruk of striga.ai and Stanislaw Strzalkowski of isec.pl on December 10, 2025. A fix was implemented the following day, with the patch being publicly released in version 2.4.67.
Moderate and Low Severity Issues
Another vulnerability, CVE-2026-24072, rated as Moderate, affects the mod_rewrite component. It allows local .htaccess users to access arbitrary files, potentially escalating their privileges. This issue was reported by researcher y7syeu on January 20, 2026, and affects version 2.4.66 and earlier.
Additionally, three lower-severity vulnerabilities were also addressed: a heap-based buffer overflow in mod_proxy_ajp (CVE-2026-28780), a resource exhaustion issue in mod_md (CVE-2026-29168), and a NULL pointer dereference in mod_dav_lock (CVE-2026-29169). Each of these issues poses a varying degree of risk, with potential impacts ranging from server crashes to resource depletion.
Recommendations for Administrators
The potential impact of CVE-2026-23918 is significant given Apache HTTP Server’s widespread use in enterprise environments. Administrators are urged to upgrade to version 2.4.67 to fully address all five vulnerabilities. As interim measures, disabling HTTP/2 can reduce exposure to RCE risks associated with CVE-2026-23918. Removing the mod_dav_lock module, if unused, can mitigate risks from CVE-2026-29169.
Moreover, auditing .htaccess permissions is advisable to minimize potential privilege escalation via CVE-2026-24072, particularly in environments with local user access concerns.
With such critical vulnerabilities addressed, organizations are encouraged to prioritize these updates to safeguard their systems from potential exploits and maintain robust cybersecurity defenses.
