CVE-2026-23918
Double Free and Possible RCE in Apache HTTP Server
Publication date: 2026-05-04
Last updated on: 2026-05-04
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | http_server | 2.4.66 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-415 | The product calls free() twice on the same memory address. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Double Free and possible Remote Code Execution (RCE) issue in the Apache HTTP Server when using the HTTP/2 protocol. A double free occurs when a program attempts to free the same memory location twice, which can lead to memory corruption and potentially allow an attacker to execute arbitrary code remotely.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including allowing an attacker to execute arbitrary code on the affected server remotely. This can lead to full compromise of the server, data breaches, service disruption, and unauthorized access to sensitive information.
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade Apache HTTP Server from version 2.4.66 to version 2.4.67, which fixes the double free and possible remote code execution vulnerability.