Vulnerability Management, Patch/Configuration Management, Network Security

Apache fixes critical HTTP/2 vulnerability allowing remote code execution

Homepage of Apache website on the display of PC

(Adobe Stock)

As outlined in Security Affairs, Apache has released critical updates for its HTTP Server to address multiple vulnerabilities, including a severe flaw in its HTTP/2 protocol handler.

The vulnerability, identified as CVE-2026-23918 with a CVSS score of 8.8, is a double-free error within the HTTP/2 implementation. This flaw could allow an attacker to execute arbitrary code remotely on affected systems. Discovered by researchers Bartlomiej Dmitruk and Stanislaw Strzalkowski, the issue arises from a crafted HTTP/2 sequence that causes the same stream to be processed twice, leading to memory corruption.

The vulnerability impacts version 2.4.66 and is resolved in 2.4.67. Its exploitation could lead to denial of service or, in specific configurations like those using APR with mmap, remote code execution. A proof-of-concept exploit exists, and while the MPM prefork module is not affected, the widespread adoption of HTTP/2 increases the potential attack surface for this critical vulnerability.

Source: Security Affairs

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Berkeley Internet Name Domain (BIND)Broadcast AddressCache PoisoningCellCircuit Switched NetworkCollisionComputer NetworkCrossover CableDomainDynamic Routing Protocol

You can skip this ad in 5 seconds