Apache Releases Security Update for Apache HTTP Server (HTTP/2)

CVE‑2026‑23918 could allow remote unauthenticated attackers to achieve remote code execution or denial‑of‑service on Apache HTTP Server

Threat ID:: CC-4778
Threat Severity:: Medium
Published:: 7 May 2026 2:38 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

CVE‑2026‑23918 could allow remote unauthenticated attackers to achieve remote code execution or denial‑of‑service on Apache HTTP Server

Affected platforms

The following platforms are known to be affected:

Apache HTTP Server

Apache HTTP Server 2.4.66

Apache HTTP Server 2.4.66 with mod_http2 enabled

Threat details

Proof-of-Concept Exploit for CVE-2026-23918

Security researchers have published a proof‑of‑concept exploit for CVE-2026-23918.

The NHS England National CSOC assesses exploitation as highly likely.

Introduction

Apache Software Foundation has released a security update to address a high‑severity vulnerability in Apache HTTP Server. Successful exploitation could allow an unauthenticated remote attacker to crash the service or potentially achieve remote code execution.

CVE‑2026‑23918 – "Double Free" vulnerability – CVSS v3.1 score of 8.8

Note: The installation of Apache HTTP Server must have HTTP/2 protocol enabled to be affected by this vulnerability.

Remediation advice

Affected organisations are encouraged to review the Apache advisory Apache HTTP Server Security Vulnerabilities (2.4.x) and apply relevant patches as soon as possible.

Definitive source of threat updates

https://httpd.apache.org/security/vulnerabilities_24.html

CVE Vulnerabilities

Status Published

CVE-2026-23918

Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Last edited: 7 May 2026 2:38 pm