CVE-2026-23918

Name of the Vulnerable Software and Affected Versions Apache HTTP Server version 2.4.66

Description A double free condition exists in the HTTP/2 implementation of the Apache HTTP Server, specifically within the mod http2 module. A double free occurs when the software attempts to release the same memory space twice, which can corrupt heap structures. This flaw allows a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service by sending specially crafted HTTP/2 traffic. The issue is particularly critical for servers handling multiple tenants or user-driven content, as attackers can establish numerous connections and streams to trigger the flaw. Standard authentication methods, such as basic authentication or reverse proxy authentication, do not prevent the establishment of these malicious connections.

Recommendations Upgrade to version 2.4.67.