The Apache Software Foundation has shipped a critical security update — Apache HTTP Server 2.4.67, released on May 4, 2026 — patching five vulnerabilities, including a high-severity double-free flaw capable of enabling Remote Code Execution (RCE). Given Apache HTTP Server’s enormous global footprint powering an estimated 30% of all active websites worldwide, these flaws represent an urgent and widespread threat to enterprise infrastructure.
The Most Critical Flaw: CVE-2026-23918
The headline vulnerability is CVE-2026-23918, rated High with a CVSS base score of 8.8. It is a double-free memory corruption bug triggered within Apache’s HTTP/2 protocol implementation during an “early stream reset” sequence.
A double-free vulnerability occurs when a program attempts to release the same memory region twice. This corrupts heap memory structures in a predictable way that skilled attackers can weaponize to redirect program execution — in this case, potentially achieving full Remote Code Execution on the server. The vulnerability exclusively affects Apache HTTP Server 2.4.66.
The flaw was first reported to the Apache security team on December 10, 2025, by Bartlomiej Dmitruk of striga.ai and Stanislaw Strzalkowski of isec.pl. A fix was committed the very next day (December 11, 2025), with the public patch finally shipped five months later in the 2.4.67 release.
Full Vulnerability Breakdown
The 2.4.67 update addresses five separate CVEs across multiple modules:
- CVE-2026-23918 (High, CVSS 8.8) — Double-free in HTTP/2 implementation. Affects 2.4.66 only. Can lead to Remote Code Execution.
- CVE-2026-24072 (Moderate) — Flaw in
mod_rewriteusingap_exprexpression evaluation. Allows local.htaccessauthors to read arbitrary files with httpd user privileges, enabling privilege escalation beyond intended access levels. Affects 2.4.66 and earlier. - CVE-2026-28780 (Low) — Heap-based buffer overflow in
mod_proxy_ajpviaajp_msg_check_header(). A malicious AJP backend server can cause the module to write 4 attacker-controlled bytes beyond the heap buffer boundary. Affects 2.4.66 and earlier. - CVE-2026-29168 (Low) — Uncapped resource allocation in
mod_md‘s OCSP response handler. Attackers can exhaust server resources via oversized OCSP response data. Affects versions 2.4.30 through 2.4.66. - CVE-2026-29169 (Low) — NULL pointer dereference in
mod_dav_lockthat allows a crafted request to crash the server. Administrators who cannot upgrade immediately can mitigate by removing the module, as it has no known internal use case in modern Apache deployments.
Why This Matters at Scale
Apache HTTP Server is the backbone of an enormous portion of the global internet. From enterprise web applications and government portals to content management systems and API gateways, the web server’s presence is pervasive. Even a low-exploitation-rate for CVE-2026-23918 translates into potentially thousands of compromised servers globally — each a foothold for data exfiltration, lateral movement, or ransomware deployment.
The HTTP/2 protocol, which is the vector for the double-free vulnerability, is widely enabled in production environments for performance reasons. Organizations that haven’t explicitly reviewed their HTTP/2 configuration are almost certainly exposed if running version 2.4.66.
Recommended Immediate Actions
Administrators running Apache HTTP Server should act without delay:
- Upgrade to Apache HTTP Server 2.4.67 immediately. This is the only complete remediation for all five vulnerabilities.
- If immediate upgrade is not feasible: Disable HTTP/2 temporarily to eliminate exposure to CVE-2026-23918. In the Apache configuration, remove or comment out
Protocols h2 http/1.1and replace withProtocols http/1.1. - Remove
mod_dav_lockif it is not actively in use, as an interim mitigation for CVE-2026-29169. - Audit
.htaccesspermissions and review which users have write access to prevent exploitation of CVE-2026-24072 in multi-tenant or shared hosting environments. - Review AJP connector configurations and ensure that
mod_proxy_ajpis only connecting to trusted, controlled backend servers.
Patch Availability
Apache HTTP Server 2.4.67 is available immediately from the official Apache downloads page. Linux distribution package managers (apt, yum, dnf) will receive updated packages as distribution maintainers update their repositories — though pulling directly from Apache is recommended for the fastest protection. Cloud providers hosting Apache-based workloads should be checked for managed update channels.
Given the severity of CVE-2026-23918 and the scale of Apache HTTP Server deployments globally, this update should be treated as a critical, zero-delay patching priority across all affected infrastructure.