{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23918", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-01-19T13:00:21.720Z", "datePublished": "2026-05-04T14:44:28.513Z", "dateUpdated": "2026-05-05T03:56:10.684Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache HTTP Server", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "2.4.66", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bartlomiej Dmitruk, striga.ai"}, {"lang": "en", "type": "finder", "value": "Stanislaw Strzalkowski, isec.pl"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.</p><p>This issue affects Apache HTTP Server: 2.4.66.</p><p>Users are recommended to upgrade to version 2.4.67, which fixes the issue.</p>"}], "value": "Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.\n\nThis issue affects Apache HTTP Server: 2.4.66.\n\nUsers are recommended to upgrade to version 2.4.67, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-415", "description": "CWE-415 Double Free", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-05-04T14:44:28.513Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2025-12-10T14:02:00.000Z", "value": "reported in PR 69899"}, {"lang": "en", "time": "2025-12-11T14:03:00.000Z", "value": "fixed in r1930444, r1930796"}], "title": "Apache HTTP Server: http2: double free and possible RCE on early reset", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-05-04T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-23918"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-05T03:56:10.684Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/05/04/19"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-05-04T17:32:35.852Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/05/04/19"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-05-04T17:32:35.852Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-23918", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-05-04T15:11:00.674243Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-04T15:10:57.720Z"}}], "cna": {"title": "Apache HTTP Server: http2: double free and possible RCE on early reset", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Bartlomiej Dmitruk, striga.ai"}, {"lang": "en", "type": "finder", "value": "Stanislaw Strzalkowski, isec.pl"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache HTTP Server", "versions": [{"status": "affected", "version": "2.4.66", "versionType": "semver"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-10T14:02:00.000Z", "value": "reported in PR 69899"}, {"lang": "en", "time": "2025-12-11T14:03:00.000Z", "value": "fixed in r1930444, r1930796"}], "references": [{"url": "https://httpd.apache.org/security/vulnerabilities_24.html", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.\n\nThis issue affects Apache HTTP Server: 2.4.66.\n\nUsers are recommended to upgrade to version 2.4.67, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.</p><p>This issue affects Apache HTTP Server: 2.4.66.</p><p>Users are recommended to upgrade to version 2.4.67, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-415", "description": "CWE-415 Double Free"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-05-04T14:44:28.513Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23918", "state": "PUBLISHED", "dateUpdated": "2026-05-04T17:32:35.852Z", "dateReserved": "2026-01-19T13:00:21.720Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-05-04T14:44:28.513Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:http_server:2.4.66:*:*:*:*:*:*:*", "matchCriteriaId": "3F48B216-98B0-4261-8E74-3BCC6F37CD8C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.\n\nThis issue affects Apache HTTP Server: 2.4.66.\n\nUsers are recommended to upgrade to version 2.4.67, which fixes the issue."}], "id": "CVE-2026-23918", "lastModified": "2026-05-04T20:24:58.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-05-04T15:16:03.583", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/05/04/19"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-415"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "Apache HTTP Server: Apache HTTP Server: Remote Code Execution via Double Free in HTTP/2 Protocol", "id": "2465304", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2465304"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-1341", "details": ["A flaw was found in Apache HTTP Server. This vulnerability, related to a double free error within the HTTP/2 protocol implementation, could potentially allow a remote attacker to execute arbitrary code. Successful exploitation could lead to a complete compromise of the affected system."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-23918", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "mod_http2", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "httpd:2.4/httpd", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "httpd:2.4/mod_http2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "mod_http2", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "httpd", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Not affected", "package_name": "mod_http2", "product_name": "Red Hat JBoss Core Services"}], "public_date": "2026-05-04T14:44:28Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23918\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23918\nhttps://httpd.apache.org/security/vulnerabilities_24.html"], "statement": "This issue marked as Important rather than Moderate because it involves a memory safety violation (double free) in the HTTP/2 request handling path, which is directly exposed to untrusted network input. A double free condition can corrupt the heap allocator\u2019s internal metadata, enabling attackers to manipulate memory layout and potentially achieve arbitrary code execution (RCE) under favorable conditions. In this case, the flaw is triggered during an early stream reset in HTTP/2, meaning it can be exercised pre-authentication by a remote client without requiring complex application-level interaction. Given that Apache HTTP Server is widely deployed in internet-facing environments, even a low-probability RCE path significantly elevates risk.\nAdditionally, the vulnerability exists in a core protocol module rather than an optional edge feature, increasing the likelihood of exposure. It is also important to note that this vulnerability specifically affects Apache HTTP Server version 2.4.66 only, and our mod_http2 packages are not affected as they are built against non-vulnerable httpd versions.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.4.66"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache HTTP Server", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "http_server", "vendor": "apache"}], "created": "2026-05-04T16:30:03.765880+00:00", "updated": "2026-05-06T02:00:12.351179+00:00", "vendors": ["apache", "apache$PRODUCT$http_server"]}