Copyright © 2012 Red Hat, Inc. All rights reserved. Important 2026-05-04T14:44:28 Apache HTTP Server: Apache HTTP Server: Remote Code Execution via Double Free in HTTP/2 Protocol 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CWE-1341

A flaw was found in Apache HTTP Server. This vulnerability, related to a double free error within the HTTP/2 protocol implementation, could potentially allow a remote attacker to execute arbitrary code. Successful exploitation could lead to a complete compromise of the affected system.

This issue marked as Important rather than Moderate because it involves a memory safety violation (double free) in the HTTP/2 request handling path, which is directly exposed to untrusted network input. A double free condition can corrupt the heap allocator’s internal metadata, enabling attackers to manipulate memory layout and potentially achieve arbitrary code execution (RCE) under favorable conditions. In this case, the flaw is triggered during an early stream reset in HTTP/2, meaning it can be exercised pre-authentication by a remote client without requiring complex application-level interaction. Given that Apache HTTP Server is widely deployed in internet-facing environments, even a low-probability RCE path significantly elevates risk. Additionally, the vulnerability exists in a core protocol module rather than an optional edge feature, increasing the likelihood of exposure. It is also important to note that this vulnerability specifically affects Apache HTTP Server version 2.4.66 only, and our mod_http2 packages are not affected as they are built against non-vulnerable httpd versions. To mitigate this issue, disable the `mod_http2` module in your Apache HTTP Server configuration. This can be achieved by commenting out or removing the `LoadModule http2_module modules/mod_http2.so` line in the Apache configuration file (e.g., `/etc/httpd/conf.modules.d/00-base.conf` or a similar configuration file). After modifying the configuration, restart the httpd service for the changes to take effect. This action will impact services relying on HTTP/2 functionality. Red Hat Hardened Images 2026-05-06T00:00:00Z RHSA-2026:13938 httpd-main-2.4.67-0.1.hum1 Red Hat Enterprise Linux 10 Not affected httpd Red Hat Enterprise Linux 10 Not affected mod_http2 Red Hat Enterprise Linux 6 Not affected httpd Red Hat Enterprise Linux 7 Not affected httpd Red Hat Enterprise Linux 8 Not affected httpd:2.4/httpd Red Hat Enterprise Linux 8 Not affected httpd:2.4/mod_http2 Red Hat Enterprise Linux 9 Not affected httpd Red Hat Enterprise Linux 9 Not affected mod_http2 Red Hat JBoss Core Services Not affected mod_http2 https://www.cve.org/CVERecord?id=CVE-2026-23918 https://nvd.nist.gov/vuln/detail/CVE-2026-23918 https://httpd.apache.org/security/vulnerabilities_24.html