CVE-2026-23918
Apache HTTP Server: http2: double free and possible RCE on early reset
Description
Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
INFO
Published Date :
May 4, 2026, 3:16 p.m.
Last Modified :
May 4, 2026, 8:24 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
Solution
- Upgrade Apache HTTP Server to 2.4.67.
- Apply vendor patches for HTTP/2.
Public PoC/Exploit Available at Github
CVE-2026-23918 has a 13 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-23918.
| URL | Resource |
|---|---|
| https://httpd.apache.org/security/vulnerabilities_24.html | Vendor Advisory |
| http://www.openwall.com/lists/oss-security/2026/05/04/19 | Mailing List Third Party Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-23918 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-23918
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
CVE-2026 PoC Collection - 128 PoCs covering 84 CVEs
Python Dockerfile Shell Java C Makefile Objective-C Rust C++ Go
Python toolkit to audit Apache HTTP Server against CVE-2026-23918 (HTTP/2 double-free RCE) and 4 related CVEs. Passive scanner with ALPN verification + read-only local auditor. No exploits.
Python
Static Docsify cybersecurity news digest deployed on Vercel
HTML Python
None
Python
Apache httpd mod_http2 double-free, pre-auth RCE PoC
Dockerfile Python
Detection rules for CVE-2026-23918 Apache http2 RCE - Credit: stringa.ai, isec.pl
CVE-2026-23918 Apache mod_http2 Double-Free Detector
Python
CVE-2026-23918-Apache-HTTP-Server-DoubleFree-PoC
Python
This is a proactive tool for security auditing. For your GitHub repository, you’ll want a description that highlights its safety (non-intrusive) and its specific utility for system administrators.
Python
Proof-of-Concept exploit for CVE-2026-23918 (Apache mod_http2 double-free). Features multi-mode DoS (Rapid-RST, Slow-Drip) and passive RCE/vulnerability detection for Apache 2.4.66.
apache cve-2026-23918 cybersecurity denial-of-service dos double-free exploit http2 infosec python race-condition
Python
None
Shell
Apache HTTP/2 double-free vulnerability PoC (CVE-2026-23918)
apache-httpd cve dos poc vulnerability-research cve-2026-23918 cwe-415
Python Dockerfile
Passive HTTP metadata auditor for CVE-2026-23918 exposure triage
Makefile Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-23918 vulnerability anywhere in the article.
-
The Hacker News
Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence
Cybersecurity researchers have disclosed a set of four security flaws in OpenClaw that could be chained to achieve data theft, privilege escalation, and persistence. The vulnerabilities, collectively ... Read more
-
The Hacker News
On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email
Microsoft has disclosed a new security vulnerability impacting on-premise versions of Exchange Server that it said has come under active exploitation in the wild. The vulnerability, tracked as CVE-202 ... Read more
-
The Hacker News
CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits
The U.S.Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a newly disclosed vulnerability impacting Cisco Catalyst SD-WAN Controller to its Known Exploited Vulnerabilities (KEV ... Read more
-
The Hacker News
Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access
Cisco has released updates to address a maximum-severity authentication bypass flaw in Catalyst SD-WAN Controller that it said has been exploited in limited attacks. The vulnerability, tracked as CVE- ... Read more
-
The Hacker News
ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories
Everything is still on fire. This week feels dumb in the worst way — bad links, weak checks, fake help desks, shady forum posts, and people turning supply chain attacks into some cursed little game fo ... Read more
-
The Hacker News
Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike
The Belarus-aligned threat group known as Ghostwriter has been attributed to a fresh set of attacks targeting governmental organizations in Ukraine. Active since at least 2016, Ghostwriter has been li ... Read more
-
The Hacker News
PraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure
Threat actors have been observed attempting to exploit a recently disclosed security vulnerability in PraisonAI, an open-source multi-agent orchestration framework, within four hours of public disclos ... Read more
-
The Hacker News
Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation
An anonymous cybersecurity researcher who disclosed three Microsoft Defender vulnerabilities has returned with two more zero-days involving a BitLocker bypass and a privilege escalation impacting Wind ... Read more
-
The Hacker News
18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE
Cybersecurity researchers have disclosed multiple security vulnerabilities impacting NGINX Plus and NGINX Open, including a critical flaw that remained undetected for 18 years. The vulnerability, disc ... Read more
-
The Hacker News
Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday
Microsoft has unveiled a new multi-model artificial intelligence (AI)-driven system called MDASH to facilitate vulnerability discovery and remediation at scale, adding that it's being tested by some c ... Read more
-
The Hacker News
Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages
TeamPCP, the threat actor behind the recent supply chain attack spree, has been linked to the compromise of the npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI a ... Read more
-
The Hacker News
cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor
A threat actor named Mr_Rot13 has been attributed to the exploitation of a recently disclosed critical cPanel flaw to deploy a backdoor codenamed Filemanager on compromised environments. The attack ex ... Read more
-
The Hacker News
Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak
Cybersecurity researchers have disclosed a critical security vulnerability in Ollama that, if successfully exploited, could allow a remote, unauthenticated attacker to leak its entire process memory. ... Read more
-
The Hacker News
Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE
The Apache Software Foundation (ASF) has released security updates to address several security vulnerabilities in the HTTP Server, including a severe vulnerability that could potentially lead to remot ... Read more
The following table lists the changes that have been made to the
CVE-2026-23918 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
May. 04, 2026
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:apache:http_server:2.4.66:*:*:*:*:*:*:* Added Reference Type CVE: http://www.openwall.com/lists/oss-security/2026/05/04/19 Types: Mailing List, Third Party Advisory Added Reference Type Apache Software Foundation: https://httpd.apache.org/security/vulnerabilities_24.html Types: Vendor Advisory -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
May. 04, 2026
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2026/05/04/19 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
May. 04, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H -
New CVE Received by [email protected]
May. 04, 2026
Action Type Old Value New Value Added Description Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. Added CWE CWE-415 Added Reference https://httpd.apache.org/security/vulnerabilities_24.html