Critical Apache HTTP Server Vulnerability Exposes Millions to Remote Code Execution
The Apache Software Foundation has issued a critical security update for the Apache HTTP Server, addressing five vulnerabilities, including a severe double-free flaw that could lead to Remote Code Execution (RCE). This update, version 2.4.67, was released on May 4, 2026. Users operating version 2.4.66 or earlier are strongly advised to upgrade immediately to mitigate potential risks.
CVE-2026-23918: A High-Severity Threat
The most critical of these vulnerabilities is CVE-2026-23918, assigned a High severity rating with a CVSS base score of 8.8. This flaw is a double-free memory corruption bug within Apache’s HTTP/2 protocol implementation, specifically triggered during an early stream reset sequence.
In technical terms, a double-free vulnerability occurs when a program attempts to release the same memory region twice. This can corrupt heap memory structures, potentially allowing an attacker to redirect the execution flow, thereby enabling Remote Code Execution.
This vulnerability exclusively affects Apache HTTP Server version 2.4.66. It was first reported to the Apache security team on December 10, 2025, by Bartlomiej Dmitruk of striga.ai and Stanislaw Strzalkowski of isec.pl. A fix was promptly committed on December 11, 2025, and the public patch was included in the 2.4.67 release on May 4, 2026.
CVE-2026-24072: Privilege Escalation via mod_rewrite
Another notable vulnerability addressed in this update is CVE-2026-24072, rated Moderate. This flaw pertains to the `mod_rewrite` module’s use of `ap_expr` expression evaluation. It allows local `.htaccess` authors to read arbitrary files with the privileges of the `httpd` user, effectively enabling an escalation of privileges beyond their intended access level.
This vulnerability affects Apache HTTP Server version 2.4.66 and earlier. It was reported on January 20, 2026, by researcher y7syeu.
Additional Vulnerabilities Patched
The 2.4.67 update also addresses three lower-severity vulnerabilities:
– CVE-2026-28780: A heap-based buffer overflow in the `mod_proxy_ajp` module via the `ajp_msg_check_header()` function. If `mod_proxy_ajp` connects to a malicious AJP server, that server can send a crafted AJP message causing the module to write four attacker-controlled bytes beyond the end of a heap buffer. This vulnerability affects versions up to 2.4.66 and was reported independently by four researchers between February and March 2026.
– CVE-2026-29168: An uncapped resource allocation vulnerability in the `mod_md` module’s OCSP response handler. Attackers could exploit this to exhaust server resources via oversized OCSP response data. This issue affects versions 2.4.30 through 2.4.66 and was reported by Pavel Kohout of Aisle Research on March 2, 2026.
– CVE-2026-29169: A NULL pointer dereference in the `mod_dav_lock` module that allows an attacker to crash the server using a maliciously crafted request. Notably, `mod_dav_lock` is not used internally by `mod_dav` or `mod_dav_fs`; its only known use case was with `mod_dav_svn` from Apache Subversion versions prior to 1.2.0. As a mitigation, administrators who cannot upgrade immediately may simply remove `mod_dav_lock`.
Summary of Vulnerabilities:
| CVE Identifier | Severity | Component | Impact | Affected Versions |
|—————-|———-|———–|——–|——————-|
| CVE-2026-23918 | High (CVSS 8.8) | HTTP/2 | Double Free / RCE | 2.4.66 only |
| CVE-2026-24072 | Moderate | mod_rewrite (ap_expr) | Privilege Escalation | ≤ 2.4.66 |
| CVE-2026-28780 | Low | mod_proxy_ajp | Heap Buffer Overflow | ≤ 2.4.66 |
| CVE-2026-29168 | Low | mod_md (OCSP) | Resource Exhaustion | 2.4.30–2.4.66 |
| CVE-2026-29169 | Low | mod_dav_lock | NULL Pointer Dereference / DoS | ≤ 2.4.66 |
Mitigation Recommendations
Given the widespread use of Apache HTTP Server globally, the RCE risk posed by CVE-2026-23918 is particularly concerning. Administrators are strongly urged to:
1. Upgrade Immediately: Update to Apache HTTP Server version 2.4.67 to patch all identified vulnerabilities.
2. Review Configuration Files: Ensure that `.htaccess` files do not grant unintended access, especially in light of CVE-2026-24072.
3. Monitor Server Logs: Regularly check for unusual activity that may indicate exploitation attempts.
4. Disable Unused Modules: If certain modules like `mod_dav_lock` are not in use, consider disabling or removing them to reduce potential attack surfaces.
By promptly applying these updates and following best practices, organizations can protect their servers from potential exploitation and maintain the integrity of their web services.
