A critical double-free flaw in Apache's HTTP/2 implementation, tracked as CVE-2026-23918 with a CVSS score of 8.8, has been patched by the Apache Software Foundation, preventing potential remote code execution attacks. This vulnerability, discovered by researchers Bartlomiej Dmitruk and Stanislaw Strzalkowski, could be exploited by attackers to gain unauthorized access to systems. The issue is related to a "double free" error in HTTP/2 handling, which could lead to memory corruption and ultimately allow remote code execution1. The Apache Software Foundation has released updates to fix this and other vulnerabilities in its HTTP Server. Given the high CVSS score and potential for RCE, entities exposed to this vulnerability should prioritize patching based on their specific exposure and available exploitation evidence. This disclosure expands the active attack surface, making it essential for practitioners to take immediate action to mitigate potential risks.
Apache fixes critical HTTP/2 double-free flaw CVE-2026-23918 enabling RCE
⚡ High Priority
Why This Matters
CVE-2026-23918 disclosure expands the active attack surface — prioritize based on your exposure and exploitation evidence.
References
- SecurityAffairs. (2026, May 6). Apache fixes critical HTTP/2 double-free flaw CVE-2026-23918 enabling RCE. *SecurityAffairs*. https://securityaffairs.com/191759/security/apache-fixes-critical-http-2-double-free-flaw-cve-2026-23918-enabling-rce.html
Original Source
SecurityAffairs
Read original →