CVE-2026-23918
Modified
Modified - Updated After Analysis
Double Free and Possible RCE in Apache HTTP Server
Vulnerability report for CVE-2026-23918, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-05-04
Last updated on: 2026-06-30
Assigner: Apache Software Foundation
Description
Description
Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.
This issue affects Apache HTTP Server: 2.4.66.
Users are recommended to upgrade to version 2.4.67, which fixes the issue.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | http_server | 2.4.66 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-415 | The product calls free() twice on the same memory address. |
| CWE-1341 | The product attempts to close or release a resource or handle more than once, without any successful open between the close operations. |