{
  "threat_severity" : "Important",
  "public_date" : "2026-05-04T14:44:28Z",
  "bugzilla" : {
    "description" : "Apache HTTP Server: Apache HTTP Server: Remote Code Execution via Double Free in HTTP/2 Protocol",
    "id" : "2465304",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2465304"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-1341",
  "details" : [ "Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.\nThis issue affects Apache HTTP Server: 2.4.66.\nUsers are recommended to upgrade to version 2.4.67, which fixes the issue.", "A flaw was found in Apache HTTP Server. This vulnerability, related to a double free error within the HTTP/2 protocol implementation, could potentially allow a remote attacker to execute arbitrary code. Successful exploitation could lead to a complete compromise of the affected system." ],
  "statement" : "This issue marked as Important rather than Moderate because it involves a memory safety violation (double free) in the HTTP/2 request handling path, which is directly exposed to untrusted network input. A double free condition can corrupt the heap allocator’s internal metadata, enabling attackers to manipulate memory layout and potentially achieve arbitrary code execution (RCE) under favorable conditions. In this case, the flaw is triggered during an early stream reset in HTTP/2, meaning it can be exercised pre-authentication by a remote client without requiring complex application-level interaction. Given that Apache HTTP Server is widely deployed in internet-facing environments, even a low-probability RCE path significantly elevates risk.\nAdditionally, the vulnerability exists in a core protocol module rather than an optional edge feature, increasing the likelihood of exposure. It is also important to note that this vulnerability specifically affects Apache HTTP Server version 2.4.66 only, and our mod_http2 packages are not affected as they are built against non-vulnerable httpd versions.",
  "affected_release" : [ {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-05-06T00:00:00Z",
    "advisory" : "RHSA-2026:13938",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "httpd-main-2.4.67-0.1.hum1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "mod_http2",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "httpd:2.4/httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "httpd:2.4/mod_http2",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "mod_http2",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat JBoss Core Services",
    "fix_state" : "Not affected",
    "package_name" : "mod_http2",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23918\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23918\nhttps://httpd.apache.org/security/vulnerabilities_24.html" ],
  "name" : "CVE-2026-23918",
  "mitigation" : {
    "value" : "To mitigate this issue, disable the `mod_http2` module in your Apache HTTP Server configuration. This can be achieved by commenting out or removing the `LoadModule http2_module modules/mod_http2.so` line in the Apache configuration file (e.g., `/etc/httpd/conf.modules.d/00-base.conf` or a similar configuration file). After modifying the configuration, restart the httpd service for the changes to take effect. This action will impact services relying on HTTP/2 functionality.",
    "lang" : "en:us"
  },
  "csaw" : false
}